Author: Arya Voronova

514 Articles

All About USB-C: Introduction For Hackers

December 6, 2022 by 53 Comments

We’ve now had at least five years of USB-C ports in our devices. It’s a standard that many manufacturers and hackers can get behind. Initially, there was plenty of confusion about what we’d actually encounter out there, and manufacturer-induced aberrations have put some people off. However, USB-C is here to stay, and I’d like to show you how USB-C actually gets used out there, what you can expect out of it as a power user, and what you can get out of it as a hobbyist.

Modern devices have a set of common needs – they need a power input, or a power output, sometimes both, typically a USB2 connection, and often some higher-speed connectivity like a display output/input or USB 3. USB-C is an interface that aims to be able to take care of all of those. Everything aforementioned is optional, which is a blessing and a curse, but you can quickly learn to distinguish what to expect out of a device based on how it looks; if ever in doubt, I’d like to show you how to check.

Continue reading “All About USB-C: Introduction For Hackers”

Showing the scope screen and the BeagleBone setup side by side, with GPIO input and output traces shown on the scope screen.

How Realtime Is Your Kernel? Scope A GPIO To Find Out

December 5, 2022 by 27 Comments

When debugging something as involved as kernel scheduler timings, you would typically use one of the software-based debugging mechanisms available. However, in cases when software is close to bare metal, you don’t always need to do that. Instead, you can output a signal to a GPIO, and then use a logic analyzer or a scope to measure signal change timing – which is what [Albert David] did when evaluating Linux kernel’s PREEMPT_RT realtime operation patches.

When you reach for a realtime kernel, latency is what you care about – realtime means that for everything you do, you need to get a response within a certain (hopefully very short) interval. [Albert] wrote a program that reads a changing GPIO input and immediately writes the new state back, and scoped both of the signals to figure out the latency of of the real-time patched kernel as it processes the writes. Overlaying all the incoming and outgoing signals on the same scope screen, you can quickly determine just how suitable a scheduler is when it comes to getting an acceptable response times, and [Albert] also provides a ready-to-go BeagleBone image you can use for your own experiments, or say, in an educational environment.

What could you use this for? A lot of hobbyists use realtime kernels on Linux when building CNC machine controllers and robots, where things like motor control put tight constraints on how quickly a decision in your software is translated into real-world consequences, and if this sounds up your valley, check out this Linux real-time task tutorial from [Andreas]. If things get way too intense for a multi-tasking system like Linux, you might want to use a RTOS to begin with, and we have a guide on that for you, too.

The fully assembled RocketSwitch, with a 3D printed case on it and a USB-A connector sticking out, being held in someone's hand.

Rocket Switch – Accessibility Done With Elegance

December 4, 2022 by 7 Comments

Quite a few makers try and create devices helpful to others – today’s hack, Rocket Switch, is a lovely example of that. It’s a design by [Neil Squire] of [Makers Making Change], with a PCB that plugs onto an Adafruit Rotary Trinkey, soldering onto its exposed pads, equipping it with two headphone jacks connected to GPIOs. This is a simple design – only two headphone jacks and resistors, complete with a 3D printed case. The value is not as much in its construction, but more in what the Rocket Switch provides to its users.

This is an accessibility-enabling controller, a USB HID device which interfaces to a wide variety of headphone-jack-connectable switches. With this device, someone unable to use a computer mouse can use two tactile buttons to control their computer, either by imitating mouse clicks or by sending keypresses into accessibility software equipped a control flow for such two-switch arrangements.

Everything is open-source, and there’s an impressive amount of documentation – for 3D printing, ordering, usage, design choice explanations, and of course, a picture-peppered 15-page tutorial PDF with detailed assembly instructions for anyone who might need a Rocket Switch. Plus, [Makers Making Change] created a page where both people in need and makers with some free time can sign up to exchange these devices. It’s not the first time we see a design like this – perhaps the most famous example is Microsoft’s Xbox Adaptive Controller, something that we’ve seen a dad use to build an entertainment platform for his daughter.

Continue reading “Rocket Switch – Accessibility Done With Elegance”

side by side, showing hardware experiments with capacitor gating through FETs, an initial revision of the modchip board with some fixes, and a newer, final, clean revision.

A Modchip To Root Starlink User Terminals Through Voltage Glitching

November 28, 2022 by 37 Comments

A modchip is a small PCB that mounts directly on a larger board, tapping into points on that board to make it do something it wasn’t meant to do. We’ve typically seen modchips used with gaming consoles of yore, bypassing DRM protections in a way that a software hacks couldn’t quite do. As software complexity and therefore attack surface increased on newer consoles, software hacks have taken the stage. However, on more integrated pieces of hardware, we’ll still want to return to the old methods – and that’s what this modchip-based hack of a Starlink terminal brings us.

[Lennert Wouters]’ team has been poking and prodding at the Starlink User Terminal, trying to get root access, and needed to bypass the ARM Trusted Firmware boot-time integrity checks. The terminal’s PCB is satellite-dish-sized, so things like laser fault injection are hard to set up – hence, they went the voltage injection route. Much poking and prodding later, they developed a way to reliably glitch the CPU into verifying a faulty firmware, and got to a root shell – the journey described in a BlackHat talk embedded below. Continue reading “A Modchip To Root Starlink User Terminals Through Voltage Glitching”

Showing a new generation ATTiny on an SMD breakout plugged into a breadboard, being programmed

Come Learn About New ATtiny Generations

November 27, 2022 by 12 Comments

As the chip shortage hit, a lot of the familiar ATtiny chips have become unavailable and overpriced, and it mostly stayed the same since then. If you ever searched for “ATtiny” on your favourite electronics component retailer website, however, you’d notice that there’s quite a few ATtiny chips in stock most of the time – just that they’re from a much newer generation than we commonly see, with incompatible pinouts, slightly different architecture and longer model numbers like 412 and 3227. [David Johnson-Davies] from [technoblogy] is here to clarify things, and provide a summary of what the new ATtiny generations have to offer.

In 2019, he posted about 0- and 1-series ATtiny chips, comparing them to the ATtiny series we knew, decyphering the part numbering scheme for us, and providing a comparison table. Now, he’s returned to tell us about the 2- series ATtiny chips, merging the comparison tables together so that you can quickly evaluate available parts by their ROM/RAM size and the SMD package used. He also describes which peripherals are available on which series, as well as nuances in peripheral operation between the three generations. In the end, he reminds us of a simple way to program all these new parts – as it stands, you only need a USB-UART adapter and a 4.7K resistor.

Over the last decades, we’ve seen plenty of inspiring ATtiny projects – squeezing out everything we could out of 5 GPIOs, or slightly more for larger-package ATtiny chips. [David] has been setting an example for us, bringing projects like this function generator, this continuity tester, or an IR receiver with an OLED screen for diagnostics – all with an ATtiny85. It’s not the just pin count that’s a constraint, but the RAM and flash amounts as well – nevertheless, people have fit machine learning and an entire graphics stack into these chips before. If you’re stuck at home unable to do anything, like many of us were during lockdowns, you can always breadboard an ATtiny and see just how much you can get done with it.

A display with the magic mirror webpage shown running on it

Magic Mirror – On A Low CPU Budget

November 26, 2022 by 21 Comments

For quite a few hackers out there, it’s still hard to find a decently powerful Raspberry Pi for a non-eye-watering price. [Rupin Chheda] wanted to build a magic mirror with a web-based frontend, and a modern enough Raspberry Pi would’ve worked just fine. Sadly, all he could get was single-1 GHz-core 512MB-RAM Zero W boards, which he found unable to run Chromium well enough given the stock Raspbian Desktop install, let alone a webserver alongside it. Not to give up, [Rupin] gives us a step-by-step breakdown on creating a low-footprint Raspbian install showing a single webpage.

Starting with Raspbian Lite, a distribution that doesn’t ship with any desktop features by default, he shows how to equip it with a minimal GUI – no desktop environment needed, just an X server with the OpenBox window manager, as you don’t need more for a kiosk mode application. In place of Chromium, you can install Midori, which is a lean browser that works quite well in single-website mode, and [Rupin] shows you how to make it autostart, as well as the little quirks that make sure your display doesn’t go to sleep. The webserver runs in Heroku cloud, but we wager that, with such a minimal install, it could as well run on the device itself.

With these instructions, you can easily build a low-power single-page browser when all you have is a fairly basic Raspberry Pi board. Of course, magic mirrors are a well-researched topic by now, but you can always put a new spin on an old topic, like in this this retro-tv-based build. You don’t have to build a magic mirror to make use of this hack, either – build a recipe kiosk!

A slide from the presentation, showing the power trace of the chip, while it's being pulsed with the laser at various stages of execution

Defeating A Cryptoprocessor With Laser Beams

November 26, 2022 by 21 Comments

Cryptographic coprocessors are nice, for the most part. These are small chips you connect over I2C or One-Wire, with a whole bunch of cryptographic features implemented. They can hash data, securely store an encryption key and do internal encryption/decryption with it, sign data or validate signatures, and generate decent random numbers – all things that you might not want to do in firmware on your MCU, with the range of attacks you’d have to defend it against. Theoretically, this is great, but that moves the attack to the cryptographic coprocessor.

In this BlackHat presentation (slides), [Olivier Heriveaux] talks about how his team was tasked with investigating the security of the Coldcard cryptocurrency wallet. This wallet stores your private keys inside of an ATECC608A chip, in a secure area only unlocked once you enter your PIN. The team had already encountered the ATECC608A’s predecessor, the ATECC508A, in a different scenario, and that one gave up its secrets eventually. This time, could they break into the vault and leave with a bag full of Bitcoins?

Lacking a vault door to drill, they used a powerful laser, delidding the IC and pulsing different areas of it with the beam. How do you know when exactly to pulse? For that, they took power consumption traces of the chip, which, given enough tries and some signal averaging, let them make educated guesses on how the chip’s firmware went through the unlock command processing stages. We won’t spoil the video for you, but if you’re interested in power analysis and laser glitching, it’s well worth 30 minutes of your time.

You might think it’s good that we have these chips to work with – however, they’re not that hobbyist-friendly, as proper documentation is scarce for security-through-obscurity reasons. Another downside is that, inevitably, we’ll encounter them being used to thwart repair and reverse-engineering. However, if you wanted to explore what a cryptographic coprocessor brings you, you can get an ESP32 module with the ATECC608A inside, we’ve seen this chip put into an IoT-enabled wearable ECG project, and even a Nokia-shell LoRa mesh phone!

Continue reading “Defeating A Cryptoprocessor With Laser Beams”