As part of a university research project, [Vimal Patel] was asked to make something out of biodegradable 3D printer filament. The theme of the project is called Monomateriality — making products out of a single material to aid the manufacturing process, and after the product is used, ease of recycling.
He started by experimenting with the 3D printer filament in the UP 3D printers the university had on hand. But he wasn’t content with the layer-by-layer deposition method that all FDM printers use. He was more curious about free form deposition modeling — extruding material along multiple axes at once.
Using standard LEGO parts he was able to build an attachment for the hot glue gun to feed the 3mm diameter biodegradable filament through the nozzle. He’s uploaded the design files over at rebrickable.com to share with the world.
While the end product he designed (a bicycle helmet) isn’t too realistic, [Vimal’s] more excited at the accessibility of the making process — after all, you just need a hot glue gun and some LEGO.
Have you ever tried bending a metal rod into a consistent curve? Maybe you bent it over your knee or broke out a bucket or something. Doing it by hand never really gets the arc perfect. Handyman [Joe] found himself needing to bend a bunch of 1/4″ metal rod into various diameter rings. He didn’t have any tools to bend or roll metal and instead of fretting about it, he put on his ingenuity hat and built a perfect tool for the job.
That perfect tool is called a Roll Bender and it uses 3 rollers to bend metal into an arc of consistent radius. The straight piece of metal is passed by the rollers many times. The distance between the rollers is continually adjusted to reduce the radius of the arc of the metal until it reaches the correct size.
[Joe] started out with an old drill press vise. A piece of plate steel was welded to the stationary vise jaw to provide a platform for a grooved pulley to be mounted. On the clamping jaw, a piece of angle iron was attached to support two very large bearings. The metal rod is clamped between the two bearings and the grooved pulley. A key made from a socket and some scrap metal as a handle allow the user to rotate the pulley by hand while the distance between the rollers is adjusted by the vise’s crank. Doing this moves the rod back and forth between all 3 rollers to gradually mold the once-straight rod into a full ring.
Surface Grinders are machines that can make a surface of a part very flat, very smooth and very parallel to the face of the part that is mounted to the machine. Surface grinders usually have a spinning grinding wheel suspended over a moving bed. The bed moves the part back and forth under the grinding wheel removing an extremely small amount of material at a time, sometimes down to just a ten-thousandth of an inch (o.0001″) in order to make a precision part.
[Daniel] is a tool guy and wanted a Surface Grinder. He didn’t need a super-accurate commercial grinder so he decided to make one himself. It’s a doozy of a project and is made up of quite a few other tools. [Daniel] already had a mini CNC mill and decided this would be a good platform to begin with. The mill was rigid and already had automated X and Y axes, after all. For the grinder motor, nothing made more economical sense than to use a regular angle grinder, but there were two significant problems. First, no company made wide grinding wheels for an angle grinder. [Daniel] had to modify his spindle to accept an off-the-shelf surface grinding wheel. The second problem is that the new grinding wheel had a max RPM rating of 4400. The angle grinder can reach 10,600 RPM. In order to slow down the angle grinder, a speed control was taken out of an old variable-speed router and integrated with the angle grinder. Problem solved. A mount was then made to attached the angle grinder to the Z axis of the mill.
A magnetic chuck mounted to the mills bed is used to hold down metal work pieces. There is a lever on the chuck that when moved in one direction it creates a magnetic field to hold a ferrous piece of metal firmly to the chuck during machining. When the lever is moved in the other direction, the part is released and can be removed from the Surface Grinder.
To use his new Surface Grinder, [Daniel] creates a CNC g-code file to move his work piece back and forth underneath the grinding wheel. Being able to control the depth of cut and feed rates with his CNC machine removes human error from the grinding process and leaves a consistent finish on the part. Check out the video after the break.
Let’s play a quick word association game: Peanut butter…jelly. Arches…golden. NES…Netflix? That last one sounds like a stretch, but the [darNES] development team had a Hack Day and a dream. They started with cached Netflix data and ended up playing it on an ordinary NES. (YouTube link)
The data was pre-converted so that the video frames were stored as tilesets and stored in the ROM image. [Guy] used the NES memory mapper (MMC3) to swap the frames. [darNES] had originally planned to use a Raspberry Pi in the cartridge to handle the video conversion and networking, but had to change gears and make a static ROM image due to time constraints and resource availability.
Accessing the Netflix data is just like the days of yore – load the cartridge into an unmodified NES and hit the power button (they didn’t even need to blow on it!). A bare-bones Netflix gallery appears. You can move the white cursor on the screen with the NES controller’s D-pad. House of Cards was the choice, and true to form, the next screen shows you a synopsis with a still image and gives you the option to Play. Recommend is also there, but obviously won’t work in this setup. Still, it got a chuckle out of us. [darNES] admits that due to time issues they did not optimize the color palette for the tilesets. They plan to release more of the technical info this week, but have already given us some hints on their Hacker News thread.
Check out the videos after the break to see the video they fit onto a 256K NES cartridge.
The 6502 CPU is probably the most famous of all the 8-bit processors out there, whether in the form of bare chips for homebrew computers, or as slightly modified derivative chips found in everything from the C64, the NES, and the BBC Micro. For this edition of the Hacklet, we’re taking a look at all the 6502-based builds on hackaday.io.
There aren’t many transistors on a 6502, making it perfect for implementing on an FPGA. [Michael A. Morris] has an Arduino FPGA shield, and his soft-6502 project is called Cameleon. There’s a bunch of SPI Flash and FRAM on board, and the 128kB of (parallel) SRAM on the board is more than enough to handle any computational task you can throw at it.
Maybe programmable logic isn’t your thing, and you’d just like a simple computer like the Ohio Scientific or the Apple I. The L-Star is for you. That’s [Jac Goudsmit]’s build featuring a 6502, a Parallax Propeller, and little else.
The Parallax Propeller is a powerful (multi-core!) chip that’s easily capable of handling video out, keyboard in, and serving up the ROM and RAM of a computer. [Jac]’s build does it all beautifully, and if you’re looking for the easiest way to run code on a 6502, this is how you do it.
There’s some weird stuff going on in this machine – 18-bit addressing and 80kB of RAM. So far [Eric] has managed to dump the ROM, and he’s taking a look at the floppy controller board to see if he can figure out how it’s mapped. It’s one thing to figure out what’s broken on an Apple II or C64; those are well documented machines. It’s another thing entirely to figure out a machine very few people have heard of, and we tip our hat to [Eric] and his efforts.
Here’s a build that both does and doesn’t have a 6502 in it. [BladeRunner]’s SheMachine is a single board computer that has a 65c816 in it. The ‘816 is an interesting beast that operates as a standard 6502 until a bit is flipped in one of its registers. After that, it has a 24-bit address space for addressing 16 Megabytes of memory, 16-bit registers, but is still completely backwards compatible with the 6502. Yes, it does have weird interleaved address pins, but we can only imagine what the world would be like if this chip came out a few years earlier…
[BladeRunner] is designing the SheMachine with 1MB of SRAM – more than enough, really – and is mapping all the memory through a CPLD. That’s how you should do it, anyway.
The technique is deceptively simple. Dynamic RAM is organized into a matrix of rows and columns. By performing fast reads on addresses in the same row, bits in adjacent rows can be flipped. In the example image to the left, fast reads on the purple row can cause bit flips in either of the yellow rows. The Project Zero team discovered an even more aggressive technique they call “double-sided hammering”. In this case, fast reads are performed on both yellow rows. The team found that double-sided hammering can cause more than 25 bits to flip in a single row on a particularly vulnerable computer.
Why does this happen? The answer lies within the internal structure of DRAM, and a bit of semiconductor physics. A DRAM memory bit is essentially a transistor and a capacitor. Data is stored by charging up the capacitor, which immediately begins to leak. DRAM must be refreshed before all the charge leaks away. Typically this refresh happens every 64ms. Higher density RAM chips have forced these capacitors to be closer together than ever before. So close in fact, that they can interact. Repeated reads of one row will cause the capacitors in adjacent rows to leak charge faster than normal. If enough charge leaks away before a refresh, the bit stored by that capacitor will flip.
Cache is not the answer
If you’re thinking that memory subsystems shouldn’t work this way due to cache, you’re right. Under normal circumstances, repeated data reads would be stored in the processor’s data cache and never touch RAM. Cache can be flushed though, which is exactly what the Project Zero team is doing. The X86 CLFLUSH opcode ensures that each read will go out to physical RAM.
Wanton bit flipping is all fine and good, but the Project Zero team’s goal was to use the technique as an exploit. To pull that off, they had to figure out which bits they were flipping, and flip them in such a way as to give elevated access to a user level process. The Project Zero team eventually came up with two working exploits. One works to escape Google’s Native Client (NaCL) sandbox. The other exploit works as a userspace program on x86-64 Linux boxes.
Native Client sandbox escape exploit
Google defines Native Client (NaCL) as ” a sandbox for running compiled C and C++ code in the browser efficiently and securely, independent of the user’s operating system.” It was designed specifically as a way to run code in the browser, without the risk of it escaping to the host system. Let that sink in for a moment. Now consider the fact that rowhammer is able to escape the walled garden and access physical memory. The exploit works by allocating 250MB of memory, and rowhammering on random addresses, and checking for bit flips. Once bit flips are detected, the real fun starts. The exploit hides unsafe instructions inside immediate arguments of “safe” institutions. In an example from the paper:
Viewed from memory address 0x20EA0, this is an absolute move of a 64 bit value to register rax. However, if we move off alignment and read the instruction from address 0x20EA02, now it’s a SYSCALL – (0F 05). The NaCL escape exploit does exactly this, running shell commands which were hidden inside instructions that appeared to be safe.
Linux kernel privilege escalation exploit
The Project Zero team used rowhammer to give a Linux process access to all of physical memory. The process is more complex than the NaCL exploit, but the basic idea revolves around page table entries (PTE). Since the underlying structure of Linux’s page table is well known, rowhammer can be used to modify the bits which are used to translate virtual to physical addresses. By carefully controlling which bits are flipped, the attacking process can relocate its own pages anywhere in RAM. The team used this technique to redirect /bin/ping to their own shell code. Since Ping normally runs with superuser privileges, the shell code can do anything it wants.
Rowhammer is a nasty vulnerability, but the sky isn’t falling just yet. Google has already patched NaCL by removing access to the CLFLUSH opcode, so NaCL is safe from any currently known rowhammer attacks. Project Zero didn’t run an exhaustive test to find out which computer and RAM manufacturers are vulnerable to rowhammer. In fact, they were only able to flip bits on laptops. The desktop machines they tried used ECC RAM, which may have corrected the bit flips as they happened. ECC RAM will help, but doesn’t guarantee protection from rowhammer – especially when multiple bit flips occur. The best protection is a new machine – New RAM technologies include mitigation techniques. The LPDDR4 standard includes “Targeted Row Refresh” (TRR) and “Maximum Activate Count” (MAC), both methods to avoid rowhammer vulnerability. That’s a good excuse to buy a new laptop if we ever heard one!
[Daniel] has some awesome examples included on his website where you can test out the functionality for yourself. He has a hands-free scrolling example, spectrum plot, and even a virtual theremin. Since his code is bundled up into an easy-to-use library, it should be fairly easy to integrate into any webpage. The only real limitation to the library is that it only works in Chrome right now (Firefox doesn’t support disabling echo cancellation).