Reading The Unreadable SROM: Inside The PSoC4

March 4, 2017 by 172 Comments

Wow. [Dmitry Grinberg] just broke into the SROM on Cypress’ PSoC 4 chips. The supervisory read-only memory (SROM) in question is a region of proprietary code that runs when the chip starts up, and in privileged mode. It’s exactly the kind of black box that’s a little bit creepy and a horribly useful target for hackers if the black box can be broken open. What’s inside? In the manual it says “The user has no access to read or modify the SROM code.” Nobody outside of Cypress knows. Until now.

This matters because the PSoC 4000 chips are among the cheapest ARM Cortex-M0 parts out there. Consequently they’re inside countless consumer devices. Among [Dmitry]’s other tricks, he’s figured out how to write into the SROM, which opens the door for creating an undetectable rootkit on the chip that runs out of each reset. That’s the scary part.

The cool parts are scattered throughout [Dmitry]’s long and detailed writeup. He also found that the chips that have 8 K of flash actually have 16 K, and access to the rest of the memory is enabled by setting a single bit. This works because flash is written using routines that live in SROM, rather than the usual hardware-level write-to-register-and-wait procedure that we’re accustomed to with other micros. Of course, because it’s all done in software, you can brick the flash too by writing the wrong checksums. [Dmitry] did that twice. Good thing the chips are inexpensive.

The nitty-gritty on the ROP (return oriented programming) tricks that [Dmitry] had to pull, and a good look into the design of the system itself, are all up on [Dmitry]’s blog. We can’t wait to see what other buried treasure he’s going to find as he continues to play around with these chips. And in case you’re wondering what type of mad genius it takes to pull this off, consider that [Dmitry] runs Linux on AVRs, fools nRF24 chips into transmitting Bluetooth LE beacons, and re-writes his own airplane’s GPS.

[Main image is a PSoC4200 dev kit, and [Dmitry] has only been working with the 4000 and 4100 series. Just so you know.]

WiFi Power Bar!

March 4, 2017 by 44 Comments

Ever wanted to access a file or run some program on your computer while away from home, but the darned thing is turned off? Finding themselves occasionally working away from home and not wanting to leave their computer on for extended periods, [robotmaker]’s solution was to hack into existence a WiFi-controlled power bar!

esp8266-powerbar-thumbInside the junction box, an eight-channel relay is connected to an ESP8266 module. The module uses MQTT to communicate with Home Assistant and is powered by a partially dismembered USB AC adapter — wrapped in kapon tape for safe-keeping. The entire bar is wired through a 10A fuse, while also using a fire resistant 4-gang electrical box. Once the outlets were wired in, closing it up finished up the power bar.

[robotmaker] controls the outlets via a cheap smartphone — running HADashboard — mounted to a wall with a 3D printed support. Don’t worry — they’ve set up the system to wait for the PCs to power down before cutting power, and the are also configured to boot up when the relay turns on.

The best part — the power bar only cost $25.

[via /r/homeautomation]

This Art Project’s Video Is Not A Time-Lapse

March 4, 2017 by 31 Comments

polarization-no-1-very-small

Artist Pe Lang uses linear polarization filters to create an unusual effect in his piece polarization | nº 1. The piece consists of a large number of discs made from polarizing film that partially overlap each other at the edges. Motors turn these discs slowly, and in the process the overlapping portions go from clear to opaque black and back again.

The disc rotation speed may be low but the individual transitions occur quite abruptly. Seeing a large number of the individual discs transitioning in a chaotic pattern — but at a steady rate — is a strange visual effect. About 30 seconds into the video there is a close up, and you can see for yourself that the motors and discs are all moving at a constant rate. Even so, it’s hard to shake the feeling of that one is watching a time-lapse. See for yourself in the video, embedded below.

Continue reading “This Art Project’s Video Is Not A Time-Lapse”

Antenna Analyzer Is A Lab In A Box

March 3, 2017 by 6 Comments

There was a time when the measure of a transmitting radio antenna was having it light an incandescent bulb. A step up was a classic SWR/Power meter that showed you forward and reflected power. Over the years, a few other instruments have tried to provide a deeper look into antenna performance. However, the modern champion is the antenna analyzer which is a way of measuring vector impedance.

[Captain Science] did a review of an inexpensive N1201SA analyzer. This device is well under $200 from the usual Chinese sellers. The only thing a bit odd is the frequency range which is 140 MHz to 2700 MHz. For some extra money (about $80 or $100 more) you can drop the low-end frequency to just under 35 MHz.

Continue reading “Antenna Analyzer Is A Lab In A Box”

Powering A Laptop With Supercapacitors

March 3, 2017 by 23 Comments

What do you do when you find a small horde of supercapacitors? The correct answer is a spectrum of dangerous devices ranging from gauss guns to quarter shrinkers. [Rinoa] had a less destructive idea: she’s replaced the battery in a laptop with a bank of supercapacitors.

The supercaps in question are 2.7 Volt, 500 Farad caps arranged in banks six for a total of about 3 watt-hours in each bank. The laptop used for this experiment is an IBM Thinkpad from around 1998. The stock battery in this laptop is sufficiently less advanced than today’s laptop batteries. Instead of using a microcontroller and SMBus in the battery, the only connections between the battery and laptop are power, ground, and connections for a thermocouple. This is standard for laptops of the mid-90s, and common in low-end laptops of the early 2000s. It also makes hacking these batteries very easy as there’s no associated microprocessors to futz around with.

With all the capacitor banks charged, the laptop works. It should – there isn’t a lot of intelligence in this battery. With one bank of six supercaps, [Rinoa] is getting a few minutes of power on her laptop. With a stack of supercaps that take up about the same volume as this already think Thickpad, [Rinoa] can play a few turns of her favorite late-90s turn-based strategy game. It’s not much, but it does work.

Check out [Rinoa]’s video below.

Continue reading “Powering A Laptop With Supercapacitors”

How Good Is Your Aim First Thing In The Morning?

March 3, 2017 by 12 Comments

For the less than highly-driven individuals out there — and even some that are — sometimes, waking up is hard to do, and the temptation to smash the snooze button is difficult to resist. If you want to force your mind to immediately focus on waking up, this Nerf target alarm clock might get you up on time.

Not content to make a simple target, [Christopher Guichet] built an entire clock for the project. The crux of the sensor is a piezoelectric crystal which registers the dart impacts, and [Guichet]’s informative style explains how the sensor works with the help of an oscilloscope. A ring of 60 LEDs with the piezoelectric sensor form the clock face, all housed in a 3D printed enclosure. A rotary encoder is used to control the clock via an Arduino Uno, though a forthcoming video will delve into the code side of things; [Guichet] has hinted that he’ll share the files once the code has been tidied up a bit.

Continue reading “How Good Is Your Aim First Thing In The Morning?”

Using Backscatter Radio For A Soil Sensor Network

March 3, 2017 by 24 Comments

With almost 8 billion souls to feed and a changing climate to deal with, there’s never been a better time to field a meaningful “Internet of Agriculture.” But the expansive fields that make industrial-scale agriculture feasible work against the deployment of sensors and actuators because of a lack of infrastructure to power and connect everything. So a low-power radio network for soil moisture sensors is certainly a welcome development.

We can think of a lot of ways that sensors could be powered in the field. Solar comes to mind, since good exposure to the sun is usually a prerequisite for any cropland. But in practice, solar has issues, the prime one being that the plants need the sun more, and will quickly shade out low-profile soil-based sensors.

That’s why [Spyros Daskalakis] eschewed PV for his capacitive soil moisture sensors in favor of a backscatter technique very similar to that used in both the Great Seal Bug and mundane RFID tags alike. The soil sensor switches half of an etched PCB bowtie antenna in and out of a circuit at a frequency proportional to soil moisture. A carrier signal from a separate transmitter is reflected off the alternately loaded and unloaded antenna, picking up subcarriers with a frequency proportional to soil moisture. [Spyros] explains more about the sensor design and his technique for handling multiple sensors in his paper.

We really like the principles [Spyros] leveraged here, and the simplicity of the system. We can’t help but wonder what sort of synergies there are between this project and the 2015 Hackaday Prize-winning Vinduino project.

Continue reading “Using Backscatter Radio For A Soil Sensor Network”