Crazy Whirlwind Pre-Hackaday Prize Launch Tour

The Hackaday Prize was about to launch but the date wasn’t public yet. I decided to do a pre-launch tour to visit a few places and to drop in on some of the Hackaday Prize Judges. It started in Chicagoland, looped through San Francisco for a hardware meetup and Hardware Con, then finished with visits to [Ben Krasnow’s] workshop, [Elecia White’s] studio, and the Evil Mad Scientist Laboratories.

The Prize is now running and it’s time for you to enter. Look at some of the awesome hacking going on at the places I visited and then submit your own idea to get your entry started. Join me after the break for all the details of the adventure.

Continue reading “Crazy Whirlwind Pre-Hackaday Prize Launch Tour”

How to Directly Program an Inexpensive ESP8266 WiFi Module

The ESP8266 is the answer to “I want something with Wifi.” Surprisingly, there are a number of engineers and hobbyists who have not heard of this chip or have heard of it but don’t really understand what it is. It’s basically the answer to everything IoT to so many engineering problems that have plagued the hobbyist and commercial world alike.

The chip is a processor with integrated RAM, some ROM, and a WiFi radio, and the only external components you will need are 4 capacitors, a crystal and an external flash! It’s CHEAP, like $4/ea cheap! Or $5 if you want it on a nice, convenient carrier board that includes all these components. The power consumption is reasonable (~200mA)1, the range is insane ~300m2 without directional equipment, and a PCB trace antenna and ~4km if you want to be ridiculous.

One place thing that more people need to know about is how to program directly for this chip. Too many times projects use it as a crutch via the AT commands. Read on and find out how to hello world with just this chip.

Continue reading “How to Directly Program an Inexpensive ESP8266 WiFi Module”

Instrumentation Amplifiers and How to Measure Miniscule Change

These days there a large number of sensors and analog circuits that are “controller friendly” meaning that their output signal is easily interfaced to the built-in Analog to Digital Convertors (ADCs) often found in today’s micro-controllers. This means that the signals typically are already amplified, often filtered, and corrected for offset and linearity. But when faced with very low level signals, or signals buried in a larger signal an Instrumentation Amplifier may be what’s needed. The qualities of an Instrumentation Amplifier include:

  • A differential amplifier with high impedance and low bias current on both inputs.
  • Low noise and low drift when amplifying very small signals.
  • The ability to reject a voltage that is present on both inputs, referred to as Common Mode Rejection Ratio (CMRR)

Continue reading “Instrumentation Amplifiers and How to Measure Miniscule Change”

Creative DRAM abuse with Rowhammer

Project Zero, Google’s security analyst unit, has proved that rowhammer can be used as an exploit to gain superuser privileges on some computers. Row Hammer, or rowhammer is a method of flipping bits in DRAM by hammering rows with fast read accesses. [Mark Seaborn] and the rest of the Project Zero team learned of rowhammer by reading [Yoongu Kim’s] 2014 paper “Flipping Bits in Memory Without Accessing Them:
An Experimental Study of DRAM Disturbance Errors” (PDF link). According to [Kim], the memory industry has known about the issue since at least 2012, when Intel began filing patents for mitigation techniques.

Row hammer” by DsimicOwn work. Licensed under CC BY-SA 4.0 via Wikimedia Commons.

The technique is deceptively simple. Dynamic RAM is organized into a matrix of rows and columns. By performing fast reads on addresses in the same row, bits in adjacent rows can be flipped. In the example image to the left, fast reads on the purple row can cause bit flips in either of the yellow rows. The Project Zero team discovered an even more aggressive technique they call “double-sided hammering”. In this case, fast reads are performed on both yellow rows. The team found that double-sided hammering can cause more than 25 bits to flip in a single row on a particularly vulnerable computer.

Why does this happen? The answer lies within the internal structure of DRAM, and a bit of semiconductor physics. A DRAM memory bit is essentially a transistor and a capacitor. Data is stored by charging up the capacitor, which immediately begins to leak. DRAM must be refreshed before all the charge leaks away. Typically this refresh happens every 64ms. Higher density RAM chips have forced these capacitors to be closer together than ever before. So close in fact, that they can interact. Repeated reads of one row will cause the capacitors in adjacent rows to leak charge faster than normal. If enough charge leaks away before a refresh, the bit stored by that capacitor will flip.

Cache is not the answer

If you’re thinking that memory subsystems shouldn’t work this way due to cache, you’re right. Under normal circumstances, repeated data reads would be stored in the processor’s data cache and never touch RAM. Cache can be flushed though, which is exactly what the Project Zero team is doing. The X86 CLFLUSH opcode ensures that each read will go out to physical RAM.

Wanton bit flipping is all fine and good, but the Project Zero team’s goal was to use the technique as an exploit. To pull that off, they had to figure out which bits they were flipping, and flip them in such a way as to give elevated access to a user level process. The Project Zero team eventually came up with two working exploits. One works to escape Google’s Native Client (NaCL) sandbox. The other exploit works as a userspace program on x86-64 Linux boxes.

Native Client sandbox escape exploit

Google defines Native Client (NaCL) as ” a sandbox for running compiled C and C++ code in the browser efficiently and securely, independent of the user’s operating system.”  It was designed specifically as a way to run code in the browser, without the risk of it escaping to the host system.  Let that sink in for a moment. Now consider the fact that rowhammer is able to escape the walled garden and access physical memory. The exploit works by allocating 250MB of memory, and rowhammering on random addresses, and checking for bit flips. Once bit flips are detected, the real fun starts. The exploit hides unsafe instructions inside immediate arguments of “safe” institutions. In an example from the paper:

20EA0: 48 b8 0f 05 EB 0C F4 F4 F4 F4 movabs $0xF4F4F4F40CEB050F,%rax 

Viewed from memory address 0x20EA0, this is an absolute move of a 64 bit value to register rax. However, if we move off alignment and read the instruction from address 0x20EA02, now it’s a SYSCALL – (0F 05).  The NaCL escape exploit does exactly this, running shell commands which were hidden inside instructions that appeared to be safe.

Linux kernel privilege escalation exploit

The Project Zero team used rowhammer to give a Linux process access to all of physical memory. The process is more complex than the NaCL exploit, but the basic idea revolves around page table entries (PTE). Since the underlying structure of Linux’s page table is well known, rowhammer can be used to modify the bits which are used to translate virtual to physical addresses. By carefully controlling which bits are flipped, the attacking process can relocate its own pages anywhere in RAM. The team used this technique to redirect /bin/ping to their own shell code. Since Ping normally runs with superuser privileges, the shell code can do anything it wants.

The TL;DR

Rowhammer is a nasty vulnerability, but the sky isn’t falling just yet. Google has already patched NaCL by removing access to the CLFLUSH opcode, so NaCL is safe from any currently known rowhammer attacks. Project Zero didn’t run an exhaustive test to find out which computer and RAM manufacturers are vulnerable to rowhammer. In fact, they were only able to flip bits on laptops. The desktop machines they tried used ECC RAM, which may have corrected the bit flips as they happened. ECC RAM will help, but doesn’t guarantee protection from rowhammer – especially when multiple bit flips occur. The best protection is a new machine – New RAM technologies include mitigation techniques. The LPDDR4 standard includes “Targeted Row Refresh” (TRR) and “Maximum Activate Count” (MAC), both methods to avoid rowhammer vulnerability. That’s a good excuse to buy a new laptop if we ever heard one!

If you want to play along at home, the Project Zero team have a rowhammer test up on GitHub.

Arduino v Arduino: Part II

Since our last article covering the Arduino v. Arduino case, we’ve received a couple of tips, done some more digging, and learned a lot more about what’s going on. We thought it was time to share the story with you as it develops.

The Players

In short, there are two companies calling themselves “Arduino” at the moment. One, Arduino LLC was founded by [Massimo Banzi], [David Cuartielles], [David Mellis], [Tom Igoe] and [Gianluca Martino] in 2009, runs the website arduino.cc, and has been directing and releasing the code that makes it all work. Most of these folks had been working together on what would become the Arduino project since as early as 2005.

The other “Arduino” used to be called Smart Projects and was the manufacturing arm of the project founded and run by [Gianluca Martino]. Smart Projects changed their name to Arduino SRL in November 2014. (A “Società a responsabilità limitata” is one form of Italian limited-liability company.) They have been a major producer of Arduino boards from the very beginning and recently registered the domain arduino.org.

Around the time of the name change [Martino] sold his shares to a Swiss firm Gheo SA and [Federico Musto] was appointed CEO. Gheo SA is owned and directed by [Musto], who also runs a design consultancy based in the US and Taiwan called dog hunter, LLC.

dog hunter and [Musto] helped develop the Arduino Yun, a mashup of an Arduino with an OpenWRT-compatible WiFi router. dog hunter also runs the Linino.org website to support the Linux distribution that’s running on the router part of the Yun.

In short, on one side is Arduino LLC, run by the original Arduino Five and hosting arduino.cc. On the other is now called Arduino SRL, run by a former co-developer [Federico Musto] who bought out the largest producer of Arduino boards and opened up arduino.org.

Continue reading “Arduino v Arduino: Part II”

Caption CERN Contest Rolls into Week 6

The Caption CERN Contest has been rolling along since the first week of February. We’re in our 6th week now, and the users over at Hackaday.io have given us some great captions!

Here are the results from Week 5:

The Funnies:

Guy #1 “Pay close attention: If anything goes wrong, press this BIG RED BUTTON. Then count to ten.”
Guy #2″ What does it do?”
Guy #1 “Absolutely nothing… it just gives you something to do while you’re dying a horrible, painful death.” – [Lorin Briand]
“We’ve miniaturized the mainframe – only 21,480 tubes!.” – [Tim]
“Watch my finger…now, you are getting very sleepy…fund this project…sleeeeepy…” – [Erik Ratcliffe]

The winner this week is [johnowhitaker] with the following caption:

‘Any moment now…’ An elderly visitor waits skeptically for the ‘funny tingling’ experienced by anyone within 3m of the machine as it runs a specific program.

Congrats  [johnowhitaker], you’re getting a free CRT Android T-shirt from The Hackaday Store!

Week 6 just started! Caption the image for your chance to win a T-shirt of your own!

cern-6-smCERN scientists and engineers often find themselves in interesting positions. However, we’re not sure if this CERN staffer ever expected to be quite where he is now!

The only hard information we have to go on is the album this title of the image: “SEPARATEURS ELECTRO STATICS MONTAGE DES ELECTRODES”. Our French isn’t as good as our C++ or x86 assembly, but that sounds like electrostatic separators. Which separators, on which beamline, and in what decade? Your guess is as good as our’s, or CERN’s for that matter.

Add your humorous caption as a comment to this project log. Make sure you’re commenting on the project log, not on the project itself. As always, if you actually have information about the image or the people in it, let the folks at CERN know on the original image discussion page.

If you really want to see what’s happening at CERN, enter The Hackaday Prize! You could win a trip to Geneva, Switzerland to visit CERN yourself (not to mention a trip to space)!

Good Luck!

 

2015 Hackaday Prize: Build Something that Matters

Last year we challenged you to build the next generation of connected devices. Six months later, the best teams and projects from around the world battled for the greatest prize of all: the respect of their peers and a trip to space. This year, we’re issuing a call to hackers, engineers, makers and startups from all over the world, to focus their creative efforts on nothing less than solving serious issues facing humanity.

Fix the World

thp2015-build-something-that-matters-a6We’ll all be facing a lot of problems in the next few decades, whether they’re from rising costs and consumption of oil, droughts, access to food, demographic shifts in populations, or increasing health care costs. These problems need to be dealt with, and there’s no better time than right now to start working on solutions.

What do we want from you? We want you to identify the greatest problems faced by humanity in the next few years and come up with a solution. This can be anything from better, lower-cost solar power components, inexpensive ultrasound machines, better ways to store drugs, more advanced ways of measuring farm production, or cheaper, more sustainable smartphones to bridge the digital divide. The world is full of problems, but if there’s one thing hackers have taught us, it’s that there are more than enough people willing to find solutions.

Prizes

If worldwide notoriety isn’t enough personal incentive, Hackaday is back with a huge slate of prizes for those devices that best exemplify solutions to problems that matter.

The Grand Prize is a trip to space on a carrier of your choice or $196,883 (a Monster Group number). Other top prizes include a 90-Watt laser cutter, a builder kit (pcb mill, 3d printer, cnc router, bench lathe), a tour of CERN in Geneva, and a tour of Shenzhen in China.

New this year is the Best Product award. Go the extra mile and show a production-ready device (in addition to supplying three beta test units for judging) and you can score $100,000! The entry is of course still eligible to compete for the Grand prize and other top prizes.

We’re able to pull this off once again thanks to the vision of Supplyframe who managed to unite giants of the electronics industry as sponsors of the 2015 Hackaday Prize. Atmel, Freescale, Microchip, Mouser, and Texas Instruments have all signed on in supporting this mission.

Individuals, Colleges, Hackerspaces, and Startups

If you just don’t want to go-it alone, get your team excited. After all, it was a team that won the Grand Prize last year. SatNOGS transformed the cash-option of $196,418 into a jumpstart for a foundation to carry the project forward. Get the boss on board by touting the notoriety your company will get from showing off their engineering prowess. Or help build your resume by herding your college buddies into some brainstorming session. And the Best Product prize is perfect for Startups who want to show off their builds.

Judges

Joining the Judging Panels this year are Akiba (Freaklabs), Pete Dokter (Sparkfun), Heather Knight (Marilyn MonRobot), Ben Krasnow (GoogleX & host of Applied Science on YouTube), Lenore Edman & Windell Oskay (Evil Mad Scientist Labs), and Micah Scott (Scanlime).

Our returning judges are Limor “Ladyada” Fried (Adafruit), Jack Ganssle (Ganssle Group, & The Embedded Muse), Dave Jones (EEVBlog), Ian Lesnet (Dangerous Prototypes), and Elecia White (Logical Elegance).

You can read all of the judge bios and find social media and webpage links for them on our Judges page. We are indebted to these industry experts for sharing their time and talent to make the Hackaday Prize possible.

Tell Everyone

We don’t ask often: please tell everyone you know about the 2015 Hackaday Prize! Social media share icons are just above the image at the top of this post. Submit this page or the prize page (http://hackaday.io/prize) to all your favorite sites. No hacker should get through this day without hearing about #HackadayPrize and we can’t reach total media saturation without your help. Thanks in advance!

GET STARTED NOW

Don’t wait, put up an idea right now and tag it with “2015HackadayPrize”. We’re sending out swag for early ideas that help get the ball rolling. And as you flesh out your plans you could score prizes to help build the prototype like PCBs, 3D prints, laser cutting, etc. Make it to the finals and you’ll be looking at the five top prizes we mentioned earlier. A simple idea can change the world.

placeholder-prize-graphic