Underclocking The ESP8266 Leads To WiFi Weirdness

January 4, 2019 by 39 Comments

Sometimes the best hacks come from the most basic of questions. In this case, [CNLohr] was wondering what would happen if he started to reduce the clock speed of the ESP8266’s Baseband PLL (BBPLL) while still trying to communicate with it. You know, as one does. The results ended up being fairly surprising, and while it’s not immediately clear if there’s a practical application for this particular trick, it’s certainly worth some additional research.

Code for stepping through clock speeds

The idea here is that the BBPLL is the reference clock for the entire system, including all of the peripherals. So underclocking it doesn’t just slow down code execution as you might expect, but it also slows down the chip’s interactions with the outside world. [CNLohr] demonstrates this concept in the video below, showing how the baud rate used to view the serial output from the ESP8266 needs to be adjusted to match the chip’s frequency or else you’ll only get garbage on the line.

But what happens to the WiFi? As [CNLohr] discovered, while the center frequency itself doesn’t change, the channel width gets narrower as the clock rate is lowered. When viewed on the waterfall display of a software defined radio (SDR), the transmission can be seen “compressing” in a step pattern as the clock rate is reduced. As one might expect, the 802.11 packets become indecipherable to a normal WiFi device running in monitor mode. The signal is still at the correct frequency, but the devices can no longer understand each other.

Now it was time for another of those basic questions. What would happen if you did the same thing to a second ESP8266? Much to his surprise, [CNLohr] discovered that the two devices could still communicate successfully as long as their BBPLL clock speed was the same. From an outsider’s perspective it looked like gibberish, but to the two ESPs which had been slowed by the same amount, everything worked as expected even though the 802.11 standards say it shouldn’t.

So what can you do with this? The most obvious application is a “stealth” WiFi connection between ESP8266s which wouldn’t show up to normal devices, a communications channel invisible to all but the most astute eavesdropper. [CNLohr] has made all the source code to pull this trick off public on GitHub, and it should be interesting to see what kind of applications (if any) hackers find for this standards-breaking behavior.

If your thing is devices being forced into operations they were never intended to by particularly twisted hackers, check out our recent coverage of the USB serial adapter turned SDR by [Ted Yapo].

Continue reading “Underclocking The ESP8266 Leads To WiFi Weirdness”

Peering Into A Running Brain: SDRAM Refresh Analyzed From Userspace

December 28, 2018 by 7 Comments

Over on the Cloudflare blog, [Marek] found himself wondering about computer memory, as we all sometimes do. Specifically, he pondered if he could detect the refresh of his SDRAM from within a running program. We’re probably not ruining the surprise by telling you that the answer is yes — with a little more than 100 lines of C and help from our old friend the Fast Fourier Transform (FFT), [Marek] was able to detect SDRAM refresh cycles every 7818.6 ns, lining right up with the expected result.

The “D” in SDRAM stands for dynamic, meaning that unless periodically refreshed by reading and writing, data in the memory will decay. In this kind of memory, each bit is stored as a charge on a tiny capacitor. Given enough time (which varies with ambient temperature), this charge can leak away to neighboring silicon, turning all the 1s to 0s, and destroying the data. To combat this process, the memory controller periodically issues a refresh command which reads the data before it decays, then writes the data back to fully charge the capacitors again. Done often enough, this will preserve the memory contents indefinitely. SDRAM is relatively inexpensive and available in large capacity compared to the alternatives, but the drawback is that the CPU can’t access the portion of memory being refreshed, so execution gets delayed a little whenever a memory access and refresh cycle collide.

Chasing the Correct Hiccup

[Marek] figured that he could detect this “hiccup,” as he calls it, by running some memory accesses and recording the current time in a tight loop. Of course, the cache on modern CPUs would mean that for a small amount of data, the SDRAM would never be accessed, so he flushes the cache each time. The source code, which is available on GitHub, outputs the time taken by each iteration of the inner loop. In his case, the loop typically takes around 140 ns.

Hurray! The first frequency spike is indeed what we were looking for, and indeed does correlate with the refresh times.

The other spikes at 256kHz, 384kHz, 512kHz and so on, are multiplies of our base frequency of 128kHz called harmonics. These are a side effect of performing FFT on something like a square wave and totally expected.

As [Marek] notes, the raw data doesn’t reveal too much. After all, there are a lot of things that can cause little delays in a modern multitasking operating system, resulting in very noisy data. Even thresholding and resampling the data doesn’t bring refresh hiccups to the fore. To detect the SDRAM refresh cycles, he turned to the FFT, an efficient algorithm for computing the discrete Fourier transform, which excels at revealing periodicity. A few lines of python produced the desired result: a plot of the frequency spectrum of the lengthened loop iterations. Zooming in, he found the first frequency spike at 127.9 kHz, corresponding to the SDRAMs refresh period of 7.81 us, along with a number of other spikes representing harmonics of this fundamental frequency. To facilitate others’ experiments, [Marek] has created a command line version of the tool you can run on your own machine.

If this technique seems familiar, it may be because it’s similar the the Rowhammer attack we covered back in 2015, which can actually change data in SDRAM on vulnerable machines by rapidly accessing adjacent rows. As [Marek] points out, the fact that you can make these kinds of measurements from a userspace program can have profound security implications, as we saw with the meltdown and spectre attacks. We have to wonder what other vulnerabilities are lying inside our machines waiting to be discovered.

Thanks to [anfractuosity] for the tip!

Hack My House: Running Raspberry Pi Without An SD Card

October 8, 2018 by 62 Comments

Many of us have experienced the pain that is a Raspberry Pi with a corrupted SD card. I suspect the erase-on-write nature of flash memory is responsible for much of the problem. Regardless of the cause, one solution is to use PXE booting with the Raspberry Pi 3. That’s a fancy way to say we’ll be booting the Raspberry Pi over the network, instead of from an SD card.

What does this have to do with Hacking My House? As I discussed last time, I’m using Raspberry Pi as Infrastructure by building them into the walls of every room in my house. You don’t want to drag out a ladder and screwdriver to swap out a misbehaving SD card, so booting over the network is a really good solution. I know I promised we’d discuss cabling and cameras. Think of this as a parenthetical article — we’ll talk about Ethernet and ZoneMinder next time.

So let’s dive in and see what the Preboot Execution Environment (PXE) is all about and how to use PXE with Raspberry Pi.

Continue reading “Hack My House: Running Raspberry Pi Without An SD Card”

Join Hackaday And Tindie This Thursday At Open Hardware Summit

September 25, 2018 by 2 Comments

This weekend Hackaday and Tindie will be trekking out to beautiful Cambridge, Massachusetts, for the greatest congregation of Open Source hardware enthusiasts on the planet. This is the Open Hardware Summit. It’s every year, most of the time in different places, and this year it’s back in the hallowed halls of MIT. Somebody put a car on the roof before we do.

The schedule for this year’s Open Hardware Summit is stuffed to the gills with interesting presentations sure to satiate every hardware nerd. We’ve got talks on Open Source Software Defined Radio, and the people behind the Hackaday Prize entry Programmable Air will be there talking about controlling soft robotics.

Really, though, this is an extravaganza filled with the people who make things, and here you’re not going to find a better crew. At every Open Hardware Summit we’ve attended, you can’t turn your head without locking eyes with someone with an interesting story of hardware heroics to tell.

This is, without a doubt, the greatest gathering of the people behind all your favorite hardware designs. The greats of 3D printing will be there, we’re going to get an update on the now two-year-old Open Hardware Certification program (hint: great success!), and there’s an awesome badge, as always. There will be some extra-special Hackaday swag in the goodie bags, sure to be a collectable. We’re going to be there with boots on the ground, but it’s still not too late to get tickets if you’re in the Boston area.

A BCD Clock For Your Desk

September 1, 2018 by 8 Comments

We see so many clocks here at Hackaday, and among those we see our fair share of binary clocks. But to see one that at first sight looks as though it might be a commercial product when it is in fact a one-off project is something special. That’s just what [Tobi4sDE] has done though, with his desktop BCD binary LED clock.

The front panel is a black PCB on which sit the LEDs that form the binary display, and its back holds an ATMega328P microcontroller and DS3231 real-time clock. A smart desktop case is 3D-printed, and while the clock is USB-powered it features a CR2032 coin cell as a backup to hold the time while the USB is disconnected.

Unexpectedly he’s used a mini USB socket rather than the expected micro USB, but the rest of the clock is one we’d probably all have on our desks given the chance. We’d even go so far as to say we’d have this one as a kit if it were available.

Of course, regular readers will notice that this isn’t the only high-standard BCD timepiece you’ll have seen recently, though the other one was a wristwatch.

Teardown Of A Fingerprint Padlock

August 5, 2018 by 8 Comments

We wouldn’t mind tearing down a fingerprint scanner, but we hate to bust up our expensive laptop or cell phone. [Julian], however, got a hold of a fingerprint scanning padlock and was willing to tear it apart for our benefit. The video appears below.

The padlock is a simple enough little device with a cable lock instead of a solid metal shackle, although we have seen similar devices with traditional shackles. Initially, the lock’s fingerprint storage is empty and it will open for any fingerprint. The first task is to set an administrator fingerprint. You’ll need that fingerprint to set up other fingerprints or to reset the unit. Of course, what we are really interested in is what’s inside.

Continue reading “Teardown Of A Fingerprint Padlock”

Homebrew SDR Ham Radio In 9 Parts

June 6, 2018 by 31 Comments

It used to be homebrew ham gear meant something simple. A couple of active devices that could send CW. Maybe a receiver with a VFO. But only the most advanced builders could tackle a wide range SSB transceiver. Today, that goal is still not trivial, but it is way easier due to specialty ICs, ready access to high-speed digital signal processing, and advances in software-defined radio techniques. [Charlie Morris] decided to build an SSB rig that incorporated these technologies and he shared the whole process from design to operation in a series of nine videos. You can see the first one below.

The NE612 is a child of the popular NE602 chip, which contains a Gilbert-cell mixer, and an oscillator that makes building a receiver much easier than it has been in the past. The chips are set up as direct conversion receivers and feed a Teensy which does the digital signal processing on the recovered audio.

Continue reading “Homebrew SDR Ham Radio In 9 Parts”