Racing The Beam On A Thin Client, In FPGAs

December 7, 2018 by 60 Comments

A few years back, a company by the name of Pano Logic launched a line of FPGA-based thin clients. Sadly, the market didn’t eventuate, and the majority of this stock ended up on eBay, to eventually be snapped up by eager hackers. [Tom] is one of those very hackers, and decided to try some raytracing experiments with the hardware.

[Tom] has one of the earlier Pano Logic clients, with VGA output and a Xilinx Spartan-3E 1600 FPGA under the hood. Due to limited RAM in the FPGA, and wanting to avoid coding a custom DRAM controller for the memory on the board, there just wasn’t room for a framebuffer. Instead, it was decided that the raytracer would instead “race the beam” – calculating each pixel on the fly, beating the monitor’s refresh rate.

This approach means that resource management is key, and [Tom] notes that even seemingly minor changes to the raytracing environment require inordinately large increases in calculation. Simply adding a shadow and directional light increased core logic utilisation from 66% to 92%!

While the project may not be scalable, [Tom] was able to implement the classic reflective sphere, which bounces upon a checkered plane and even added some camera motion to liven things up through an onboard CPU core. It’s a real nuts-and-bolts walkthrough of how to work with limited resources on an FPGA platform. Code is available on Github if you fancy taking a further peek under the hood.

If you’re new to FPGAs yourself, why not check out our FPGA bootcamp?

Magic Wand Learns Spells Through Machine Learning And An IMU

December 7, 2018 by 6 Comments

Jennifer Wang likes to dress up for cosplay and she’s a Harry Potter fan. Her wizarding skills are technological rather than magical but to the casual observer she’s managed to blur those lines. Having a lot of experience with different sensors, she decided to fuse all of this together to make a magic wand. The wand contains an inertial measurement unit (IMU) so it can detect gestures. Instead of hardcoding everything [Jennifer] used machine learning and presented her results at the Hackaday Superconference. Didn’t make it to Supercon? No worries, you can watch her talk on building IMU-based gesture recognition below, and grab the code from GitHub.

Naturally, we enjoyed seeing the technology parts of her project, and this is a great primer on applying machine learning to sensor data. But what we thought was really insightful was the discussions about the entire design lifecycle. Asking questions to scope the design space such as how much money can you spend, who will use the device, and where you will use it are often things we subconsciously answer but don’t make explicit. Failing to answer these questions at all increases the risk your project will fail or, at least, not be as successful as it could have been.

Continue reading “Magic Wand Learns Spells Through Machine Learning And An IMU”

Better Mechanical Keyboards Through 3D Printing

December 7, 2018 by 14 Comments

You’re not cool unless you have a mechanical keyboard. No, you won’t be able to tell if your coworkers don’t like it, because you won’t be able to hear their complaining over the sound of your clack-clack-clacking. You can even go all-in with switch modifications, o-rings, and new springs, or you could use your 3D printer to modify the touch of your wonderful Cherry MX switches. That’s what a few researchers did, and the results are promising.

The ‘problem’ this research is attempting to solve is bottoming out on Cherry MX keyswitches. If you’re bottoming out, you’re doing it wrong, but nevertheless, you can get a publication out of solving repetitive strain injury. This was done by modeling the bottom housing of a Cherry MX switch by printing most of it in nylon on a Stratasys Objet 350 polyjet printer, with a tiny bit of of the housing printed with a polymer with a hardness of Shore 40. No, Shore A, Shore B, or Shore 00 was not specified, but hey, it’s just a conference paper.

The experimental test for this keyswitch was dropping a 150 gram weight from 125 mm onto the keyswitch, with a force sensitive resistor underneath the switch, connected to an Arduino. Data was logged, filtered, and fitted in Excel to create a plot of the force on dampened, rigid, and commercial switch housings. Results from ANOVA were p > 0.05 (p=0.12).

Despite the lack of significant results, there is something here. The Objet is one of the few printers that can do multimaterial printing with the resolution needed to replicate an injection molded part. There is a trend to the data, and printing squishy parts into a keyswitch should improve typing feel. There will be more work on this, but in the meantime we’re hopeful some other experimenters will pick up this train of research.

Weaponized Networked Printing Is Now A Thing

December 7, 2018 by 37 Comments

It’s a fairly safe bet that a Venn diagram of Hackaday readers and those who closely follow the careers of YouTube megastars doesn’t have a whole lot of overlap, so you’re perhaps blissfully unaware of the man who calls himself [PewDiePie]. As such, you might not know that a battle between himself and another YouTube channel which uploads Bollywood music videos has reached such a fever pitch that his fans have resorted to guerrilla hacking to try to sway public opinion towards their side. It’s perhaps not the dystopian future we imagined, but it just might be the one we deserve.

To briefly summarize the situation, a hacker known only by the handle [TheHackerGiraffe] decided to help out Dear Leader by launching an automated attack against 50,000 Internet connected printers. When the hack was successful, the printer would spit out a page of digital propaganda, complete with fist ASCII art, that urged the recipient to go on YouTube and pledge their support for [PewDiePie]. There’s some debate about how many of the printers [TheHackerGiraffe] targeted actually delivered their payload, but judging by reactions throughout social media, it was enough to get the message out.

While the stunt itself may have come as a surprise, the methodology wasn’t. In fact, the only surprising element to the security researchers who’ve weighed in on the situation is that this hasn’t happened more often. It certainly isn’t the first time somebody’s done it, but the fact that this time its been connected to such a high profile Internet celebrity is putting more eyes on the problem then there have been in the past. Now that the proverbial cat is out of the bag, there are even websites springing up which claim to be purveyors of “Printer Advertising”. Odds are good this won’t be the last time somebody’s printer starts running off more than TPS reports.

We here at Hackaday don’t have much interest in the battle for YouTube supremacy. We’re just pulling for Dave Jones’s EEVBlog channel to join [AvE] in breaking a million subscribers. But we’re very interested in the technology which made this attack possible, how likely it is we’re going to see more people exploit it, and what are we supposed to do now that even our own printers can be turned against us?

Continue reading “Weaponized Networked Printing Is Now A Thing”

5G Cellphone’s Location Privacy Broken Before It’s Even Implemented

December 7, 2018 by 52 Comments

Although hard to believe in the age of cheap IMSI-catchers, “subscriber location privacy” is supposed to be protected by mobile phone protocols. The Authentication and Key Agreement (AKA) protocol provides location privacy for 3G, 4G, and 5G connections, and it’s been broken at a basic enough level that three successive generations of a technology have had some of their secrets laid bare in one fell swoop.

When 3G was developed, long ago now, spoofing cell towers was expensive and difficult enough that the phone’s International Mobile Subscriber Identity (IMSI) was transmitted unencrypted. For 5G, a more secure version based on a asymmetric encryption and a challenge-reponse protocol that uses sequential numbers (SQNs) to prevent replay attacks. This hack against the AKA protocol sidesteps the IMSI, which remains encrypted and secure under 5G, and tracks you using the SQN.

The vulnerability exploits the AKA’s use of XOR to learn something about the SQN by repeating a challenge. Since the SQNs increment by one each time you use the phone, the authors can assume that if they see an SQN higher than a previous one by a reasonable number when you re-attach to their rogue cell tower, that it’s the same phone again. Since the SQNs are 48-bit numbers, their guess is very likely to be correct. What’s more, the difference in the SQN will reveal something about your phone usage while you’re away from the evil cell.

A sign of the times, the authors propose that this exploit could be used by repressive governments to track journalists, or by advertisers to better target ads. Which of these two dystopian nightmares is worse is left as comment fodder. Either way, it looks like 5G networks aren’t going to provide the location privacy that they promise.

Via [The Register]

Header image: MOs810 [CC BY-SA 4.0].

Hacking Your Way To A Custom TV Boot Screen

December 7, 2018 by 45 Comments

More and more companies are offering ways for customers to personalize their products, realizing that the increase in production cost will be more than made up for by the additional sales you’ll net by offering a bespoke product. It’s great for us as consumers, but unfortunately we’ve still got a ways to go before this attitude permeates all corners of the industry.

[Keegan Ryan] recently purchased a TV and wanted to replace its stock boot screen logo with something of his own concoction, but sadly the set offered no official way to make this happen. So naturally he decided to crack the thing open and do it the hard way The resulting write-up is a fascinating step by step account of the trials and tribulations that ultimately got him his coveted custom boot screen, and just might be enough to get you to take a screw driver to your own flat panel at home.

The TV [Keegan] brought was from a brand called SCEPTRE, but as a security researcher for NCC Group he thought it would be a fun spin to change the boot splash to say SPECTRE in honor of the infamous x86 microarchitecture attack. Practically speaking it meant just changing around two letters, but [Keegan] would still need to figure out where the image is stored, how it’s stored, and write a modified version to the TV without letting the magic smoke escape. Luckily the TV wasn’t a “smart” model, so he figured there wouldn’t be much in the way of security to keep him from poking around.

He starts by taking the TV apart and studying the main PCB. After identifying the principle components, he deduces where the device’s firmware must be stored: an 8 MB SPI flash chip from Macronix. He connects a logic analyzer up to the chip, and sure enough sees that the first few kilobytes are being read on startup. Confident in his assessment, he uses his hot air rework station to lift the chip off the board so that he can dive into its contents.

With the help of the trusty Bus Pirate, [Keegan] is able to pull the chip’s contents and verify its integrity by reading a few human-readable strings from it. Using the binwalk tool he’s able to identify a JPEG image within the firmware file, and by feeding its offset to dd, pull it out so he can view it. As hoped, it’s the full screen SCEPTRE logo. A few minutes in GIMP, and he’s ready to merge the modified image with the firmware and write it back to the chip.

He boots the TV back up and finds…nothing changed. A check of the datasheet for the SPI flash chip shows there are some protection bits used to prevent modifying particular regions of the chip. So after some modifications to the Bus Pirate script and another write, he boots the TV and hopes for the best. Finally he sees the object of his affection pop up on the big screen, a subtle change that reminds him every time the TV starts about the power of reverse engineering.

A Scratch-Built Forgotten Classic Of The Early PC Age

December 6, 2018 by 36 Comments

All the retrocomputer love for Commodore machines seems to fall on the C64 and Amiga, with a little sprinkling left over for the VIC-20. Those machines were truly wonderful, but what about the Commodore machine that paved their way? What about the machine that was one of the first to be gobbled up in the late 1970s by school districts eager to convert a broom closet into the new “computer lab”?

The PET 2001 might be a little hard to fall in love with given its all-in-one monitor, cassette recorder, and horrible chiclet keyboard, but some still hold a torch for it. [Glen] obviously felt strongly enough about the machine to build a PET from current production parts, and the results are pretty neat. When trying to recreate a 40-year old machine from scratch, some concessions must be made, of course. The case doesn’t attempt to replicate the all-in-one design, and the original keyboard was mercifully replaced by a standard PS/2 keyboard. But other than that the architecture is faithfully replicated using new production 65xx chips and 74HCT family logic chips. [Glen] had to jump through some hoops to get there, but as the video below shows, the finished machine plays a decent game of Space Invaders.

We’ve seen a PET brought back from the grave by FPGA and a C64 emulated on a Raspberry Pi, but going back to basics and building this from scratch was a fitting homage to an important machine in PC history.

Continue reading “A Scratch-Built Forgotten Classic Of The Early PC Age”