Hackaday Prize Worldwide: Maker’s Asylum Meetup in Mumbai

I am excited to announce Hackaday’s first ever event in India. We have a huge readership in the country and because I am based in Mumbai there is an opportunity to organize some events. On this Saturday, March 21st, at Maker’s Asylum hackerspace we will gather for “Bring-A-Hack Maker’s Asylum” to talk about our passion for making and hacking. We’ll discuss the 2015 Hackaday Prize which offers $500,000 in prizes for hackers who can build solutions to problems faced by a wide-range of people. What does that really mean? That’s one of the topics of the evening. Of course there will be plenty of time to show off your own hacks, ask for advice on difficult projects, and to socialize with everyone that attends. Please visit the event page for all the details.

For all of you who aren’t in the area, I’d like to share with you a little background about hackerspaces in India.

Hacking in India

Hack : “To use something in a way it was not originally intended”. This could sound very familiar when you say that “Hack is the English equivalent of Hindi-Urdu word Jugaad“. So Hacking has a very positive and useful connotation when used in such a context. Everybody does it some time or the other – sometimes unknowingly, but quite often on purpose. It follows that people who Hack be called Hackers – and again, that description is used in a very positive sense.

Sometime around the turn of the 21st century, individual Hackers who up until then used to work in isolation, started congregating together to form clubs and community spaces which came be called – no points for guessing – Hacker Spaces. The movement spread over Europe rapidly and then on to the United States, and slowly to other parts of the world. Hacker Spaces became the breeding grounds for individual innovation. People with bright ideas would seek guidance and peer reviews of their hacks, and if it was interesting enough for the wider community, they would launch themselves as enterprising startups. Hacker Spaces provided the environment, the tools, and a community for people to tinker away and build stuff. In a sense, it is like going back to our enterprising roots before the advent of wide spread industrialization stifled individual entrepreneurship.

Rise of our Hackerspace Culture

Around 2008, when my interest in hacking got revived, I could not find a single Hacker Space in India. It wasn’t until late 2013 that I found another hacker with similar interests who wanted to set up a Hacker Space. When [Vaibhav Chabbra] met me in Ahmedabad during Maker Fest and mentioned that he had set up such a space in Mumbai, I immediately jumped in to help him out. Thus was born Makers’ Asylum. Since then, within a span of just 1 1/2 years, Hacker Spaces have sprung up in Ahmedabad, Surat, Pune, Bangalore, Hyderabad, Chennai, New Delhi, Meerut, and I am sure we will hear about more of them soon in other Cities. The Hacker movement is very much here, and here to stay and grow.


The 2015 Hackaday Prize is sponsored by:

Crazy Whirlwind Pre-Hackaday Prize Launch Tour

The Hackaday Prize was about to launch but the date wasn’t public yet. I decided to do a pre-launch tour to visit a few places and to drop in on some of the Hackaday Prize Judges. It started in Chicagoland, looped through San Francisco for a hardware meetup and Hardware Con, then finished with visits to [Ben Krasnow’s] workshop, [Elecia White’s] studio, and the Evil Mad Scientist Laboratories.

The Prize is now running and it’s time for you to enter. Look at some of the awesome hacking going on at the places I visited and then submit your own idea to get your entry started. Join me after the break for all the details of the adventure.

Continue reading “Crazy Whirlwind Pre-Hackaday Prize Launch Tour”

How to Directly Program an Inexpensive ESP8266 WiFi Module

The ESP8266 is the answer to “I want something with Wifi.” Surprisingly, there are a number of engineers and hobbyists who have not heard of this chip or have heard of it but don’t really understand what it is. It’s basically the answer to everything IoT to so many engineering problems that have plagued the hobbyist and commercial world alike.

The chip is a processor with integrated RAM, some ROM, and a WiFi radio, and the only external components you will need are 4 capacitors, a crystal and an external flash! It’s CHEAP, like $4/ea cheap! Or $5 if you want it on a nice, convenient carrier board that includes all these components. The power consumption is reasonable (~200mA)1, the range is insane ~300m2 without directional equipment, and a PCB trace antenna and ~4km if you want to be ridiculous.

One place thing that more people need to know about is how to program directly for this chip. Too many times projects use it as a crutch via the AT commands. Read on and find out how to hello world with just this chip.

Continue reading “How to Directly Program an Inexpensive ESP8266 WiFi Module”

Instrumentation Amplifiers and How to Measure Miniscule Change

These days there a large number of sensors and analog circuits that are “controller friendly” meaning that their output signal is easily interfaced to the built-in Analog to Digital Convertors (ADCs) often found in today’s micro-controllers. This means that the signals typically are already amplified, often filtered, and corrected for offset and linearity. But when faced with very low level signals, or signals buried in a larger signal an Instrumentation Amplifier may be what’s needed. The qualities of an Instrumentation Amplifier include:

  • A differential amplifier with high impedance and low bias current on both inputs.
  • Low noise and low drift when amplifying very small signals.
  • The ability to reject a voltage that is present on both inputs, referred to as Common Mode Rejection Ratio (CMRR)

Continue reading “Instrumentation Amplifiers and How to Measure Miniscule Change”

Creative DRAM abuse with Rowhammer

Project Zero, Google’s security analyst unit, has proved that rowhammer can be used as an exploit to gain superuser privileges on some computers. Row Hammer, or rowhammer is a method of flipping bits in DRAM by hammering rows with fast read accesses. [Mark Seaborn] and the rest of the Project Zero team learned of rowhammer by reading [Yoongu Kim’s] 2014 paper “Flipping Bits in Memory Without Accessing Them:
An Experimental Study of DRAM Disturbance Errors” (PDF link). According to [Kim], the memory industry has known about the issue since at least 2012, when Intel began filing patents for mitigation techniques.

Row hammer” by DsimicOwn work. Licensed under CC BY-SA 4.0 via Wikimedia Commons.

The technique is deceptively simple. Dynamic RAM is organized into a matrix of rows and columns. By performing fast reads on addresses in the same row, bits in adjacent rows can be flipped. In the example image to the left, fast reads on the purple row can cause bit flips in either of the yellow rows. The Project Zero team discovered an even more aggressive technique they call “double-sided hammering”. In this case, fast reads are performed on both yellow rows. The team found that double-sided hammering can cause more than 25 bits to flip in a single row on a particularly vulnerable computer.

Why does this happen? The answer lies within the internal structure of DRAM, and a bit of semiconductor physics. A DRAM memory bit is essentially a transistor and a capacitor. Data is stored by charging up the capacitor, which immediately begins to leak. DRAM must be refreshed before all the charge leaks away. Typically this refresh happens every 64ms. Higher density RAM chips have forced these capacitors to be closer together than ever before. So close in fact, that they can interact. Repeated reads of one row will cause the capacitors in adjacent rows to leak charge faster than normal. If enough charge leaks away before a refresh, the bit stored by that capacitor will flip.

Cache is not the answer

If you’re thinking that memory subsystems shouldn’t work this way due to cache, you’re right. Under normal circumstances, repeated data reads would be stored in the processor’s data cache and never touch RAM. Cache can be flushed though, which is exactly what the Project Zero team is doing. The X86 CLFLUSH opcode ensures that each read will go out to physical RAM.

Wanton bit flipping is all fine and good, but the Project Zero team’s goal was to use the technique as an exploit. To pull that off, they had to figure out which bits they were flipping, and flip them in such a way as to give elevated access to a user level process. The Project Zero team eventually came up with two working exploits. One works to escape Google’s Native Client (NaCL) sandbox. The other exploit works as a userspace program on x86-64 Linux boxes.

Native Client sandbox escape exploit

Google defines Native Client (NaCL) as ” a sandbox for running compiled C and C++ code in the browser efficiently and securely, independent of the user’s operating system.”  It was designed specifically as a way to run code in the browser, without the risk of it escaping to the host system.  Let that sink in for a moment. Now consider the fact that rowhammer is able to escape the walled garden and access physical memory. The exploit works by allocating 250MB of memory, and rowhammering on random addresses, and checking for bit flips. Once bit flips are detected, the real fun starts. The exploit hides unsafe instructions inside immediate arguments of “safe” institutions. In an example from the paper:

20EA0: 48 b8 0f 05 EB 0C F4 F4 F4 F4 movabs $0xF4F4F4F40CEB050F,%rax 

Viewed from memory address 0x20EA0, this is an absolute move of a 64 bit value to register rax. However, if we move off alignment and read the instruction from address 0x20EA02, now it’s a SYSCALL – (0F 05).  The NaCL escape exploit does exactly this, running shell commands which were hidden inside instructions that appeared to be safe.

Linux kernel privilege escalation exploit

The Project Zero team used rowhammer to give a Linux process access to all of physical memory. The process is more complex than the NaCL exploit, but the basic idea revolves around page table entries (PTE). Since the underlying structure of Linux’s page table is well known, rowhammer can be used to modify the bits which are used to translate virtual to physical addresses. By carefully controlling which bits are flipped, the attacking process can relocate its own pages anywhere in RAM. The team used this technique to redirect /bin/ping to their own shell code. Since Ping normally runs with superuser privileges, the shell code can do anything it wants.

The TL;DR

Rowhammer is a nasty vulnerability, but the sky isn’t falling just yet. Google has already patched NaCL by removing access to the CLFLUSH opcode, so NaCL is safe from any currently known rowhammer attacks. Project Zero didn’t run an exhaustive test to find out which computer and RAM manufacturers are vulnerable to rowhammer. In fact, they were only able to flip bits on laptops. The desktop machines they tried used ECC RAM, which may have corrected the bit flips as they happened. ECC RAM will help, but doesn’t guarantee protection from rowhammer – especially when multiple bit flips occur. The best protection is a new machine – New RAM technologies include mitigation techniques. The LPDDR4 standard includes “Targeted Row Refresh” (TRR) and “Maximum Activate Count” (MAC), both methods to avoid rowhammer vulnerability. That’s a good excuse to buy a new laptop if we ever heard one!

If you want to play along at home, the Project Zero team have a rowhammer test up on GitHub.

Arduino v Arduino: Part II

Since our last article covering the Arduino v. Arduino case, we’ve received a couple of tips, done some more digging, and learned a lot more about what’s going on. We thought it was time to share the story with you as it develops.

The Players

In short, there are two companies calling themselves “Arduino” at the moment. One, Arduino LLC was founded by [Massimo Banzi], [David Cuartielles], [David Mellis], [Tom Igoe] and [Gianluca Martino] in 2009, runs the website arduino.cc, and has been directing and releasing the code that makes it all work. Most of these folks had been working together on what would become the Arduino project since as early as 2005.

The other “Arduino” used to be called Smart Projects and was the manufacturing arm of the project founded and run by [Gianluca Martino]. Smart Projects changed their name to Arduino SRL in November 2014. (A “Società a responsabilità limitata” is one form of Italian limited-liability company.) They have been a major producer of Arduino boards from the very beginning and recently registered the domain arduino.org.

Around the time of the name change [Martino] sold his shares to a Swiss firm Gheo SA and [Federico Musto] was appointed CEO. Gheo SA is owned and directed by [Musto], who also runs a design consultancy based in the US and Taiwan called dog hunter, LLC.

dog hunter and [Musto] helped develop the Arduino Yun, a mashup of an Arduino with an OpenWRT-compatible WiFi router. dog hunter also runs the Linino.org website to support the Linux distribution that’s running on the router part of the Yun.

In short, on one side is Arduino LLC, run by the original Arduino Five and hosting arduino.cc. On the other is now called Arduino SRL, run by a former co-developer [Federico Musto] who bought out the largest producer of Arduino boards and opened up arduino.org.

Continue reading “Arduino v Arduino: Part II”

Caption CERN Contest Rolls into Week 6

The Caption CERN Contest has been rolling along since the first week of February. We’re in our 6th week now, and the users over at Hackaday.io have given us some great captions!

Here are the results from Week 5:

The Funnies:

Guy #1 “Pay close attention: If anything goes wrong, press this BIG RED BUTTON. Then count to ten.”
Guy #2″ What does it do?”
Guy #1 “Absolutely nothing… it just gives you something to do while you’re dying a horrible, painful death.” – [Lorin Briand]
“We’ve miniaturized the mainframe – only 21,480 tubes!.” – [Tim]
“Watch my finger…now, you are getting very sleepy…fund this project…sleeeeepy…” – [Erik Ratcliffe]

The winner this week is [johnowhitaker] with the following caption:

‘Any moment now…’ An elderly visitor waits skeptically for the ‘funny tingling’ experienced by anyone within 3m of the machine as it runs a specific program.

Congrats  [johnowhitaker], you’re getting a free CRT Android T-shirt from The Hackaday Store!

Week 6 just started! Caption the image for your chance to win a T-shirt of your own!

cern-6-smCERN scientists and engineers often find themselves in interesting positions. However, we’re not sure if this CERN staffer ever expected to be quite where he is now!

The only hard information we have to go on is the album this title of the image: “SEPARATEURS ELECTRO STATICS MONTAGE DES ELECTRODES”. Our French isn’t as good as our C++ or x86 assembly, but that sounds like electrostatic separators. Which separators, on which beamline, and in what decade? Your guess is as good as our’s, or CERN’s for that matter.

Add your humorous caption as a comment to this project log. Make sure you’re commenting on the project log, not on the project itself. As always, if you actually have information about the image or the people in it, let the folks at CERN know on the original image discussion page.

If you really want to see what’s happening at CERN, enter The Hackaday Prize! You could win a trip to Geneva, Switzerland to visit CERN yourself (not to mention a trip to space)!

Good Luck!