An Analog Charge Pump Fabrication-Time Attack Compromises A Processor

April 25, 2017 by 47 Comments

We will all be used to malicious software, computers and operating systems compromised by viruses, worms, or Trojans. It has become a fact of life, and a whole industry of virus checking software exists to help users defend against it.

Underlying our concerns about malicious software is an assumption that the hardware is inviolate, the computer itself can not be inherently compromised. It’s a false one though, as it is perfectly possible for a processor or other integrated circuit to have a malicious function included in its fabrication. You might think that such functions would not be included by a reputable chip manufacturer, and you’d be right. Unfortunately though because the high cost of chip fabrication means that the semiconductor industry is a web of third-party fabrication houses, there are many opportunities during which extra components can be inserted before the chips are manufactured. University of Michigan researchers have produced a paper on the subject (PDF) detailing a particularly clever attack on a processor that minimizes the number of components required through clever use of a FET gate in a capacitive charge pump.

On-chip backdoors have to be physically stealthy, difficult to trigger accidentally, and easy to trigger by those in the know. Their designers will find a line that changes logic state rarely, and enact a counter on it such that when they trigger it to change state a certain number of times that would never happen accidentally, the exploit is triggered. In the past these counters have been traditional logic circuitry, an effective approach but one that leaves a significant footprint of extra components on the chip for which space must be found, and which can become obvious when the chip is inspected through a microscope.

The University of Michigan backdoor is not a counter but an analog charge pump. Every time its input is toggled, a small amount of charge is stored on the capacitor formed by the gate of a transistor, and eventually its voltage reaches a logic level such that an attack circuit can be triggered. They attached it to the divide-by-zero flag line of an OR1200 open-source processor, from which they could easily trigger it by repeatedly dividing by zero. The beauty of this circuit is both that it uses very few components so can hide more easily, and that the charge leaks away with time so it can not persist in a state likely to be accidentally triggered.

The best hardware hacks are those that are simple, novel, and push a device into doing something it would not otherwise have done. This one has all that, for which we take our hats off to the Michigan team.

If this subject interests you, you might like to take a look at a previous Hackaday Prize finalist: ChipWhisperer.

[Thanks to our colleague Jack via Wired]

Different Differentials & The Pitfalls Of The Easy Swap

April 25, 2017 by 70 Comments

I dig cars, and I do car stuff. I started fairly late in life, though, and I’m only just starting to get into the whole modification thing. Now, as far as automobiles go, you can pretty much do anything you set your mind to – engine swaps, drivetrain conversions, you name it – it’s been done. But such jobs require a high level of fabrication skill, automotive knowledge, and often a fully stocked machine shop to match. Those of us new to the scene tend to start a little bit smaller.

So where does one begin? Well, there’s a huge realm of mods that can be done that are generally referred to as “bolt-ons”. This centers around the idea that the install process of the modification is as simple as following a basic set of instructions to unbolt the old hardware and bolt in the upgraded parts. Those that have tread this ground before me will be chuckling at this point – so rarely is a bolt-on ever just a bolt-on. As follows, the journey of my Mazda’s differential upgrade will bear this out.

The car in question, currently known as the “Junkbox MX-5” until it starts running well enough to earn a real name. It somehow looks passable here, but in person I promise you, it looks awful. Credit: Lewin Day

It all started when I bought the car, back in December 2016. I’d just started writing for Hackaday and my humble Daihatsu had, unbeknownst to me, just breathed its last. I’d recently come to the realisation that I wasn’t getting any younger, and despite being obsessed with cars, I’d never actually owned a sports car or driven one in anger. It was time to change. Continue reading “Different Differentials & The Pitfalls Of The Easy Swap”

Papa Loves Mamba: Slithering Robot Is Reconfigurable

April 25, 2017 by 6 Comments

It makes sense considering evolution, but nature comes up with lots of different ways to do things. Consider moving. Land animals walk on four feet or two, some jump, and some use peristalsis or otherwise slither. Oddly, though, mother nature never developed the wheel (although the mother-of-pearl moth’s caterpillar will form its entire body into a hoop and roll away from attackers). Human-developed robots which, on the other hand, most often use wheels. Even a tank track has wheels within. [Joesinstructables] latest robot still uses wheels, but it emulates the slithering motion of a snake, He calls it the Lake Erie Mamba.

The most interesting thing about the robot is that it can reconfigure and move in several different modalities. Like the caterpillar, it can even form a wheel like an ouroboros and roll. You can see that at the end of the video, below.

Continue reading “Papa Loves Mamba: Slithering Robot Is Reconfigurable”

Model Sputnik Finds Its Voice After Decades Of Silence

April 25, 2017 by 18 Comments

As we approach the 60th anniversary of the human race becoming a spacefaring species, Sputnik nostalgia will no doubt be on the rise. And rightly so — even though Sputnik was remarkably primitive compared to today’s satellites, its 1957 launch was an inflection point in history and a huge achievement for humanity.

The Soviets, understandably proud of their accomplishment, created a series of commemorative models of Earth’s first artificial moon as gifts to other countries. How one came into possession of the Royal Society isn’t clear, but [Fran Blanche] found out about it through a circuitous route detailed in the video below, and undertook to reproduce the original electronics from the model that made the distinctive Sputnik beeps.

The Royal Society’s version of the model no longer works, but luckily it came with a schematic of the solid-state circuit used to emulate the original’s vacuum-tube guts. Intent on building the circuit as close to vintage as possible and armed with a bag of germanium transistors from the 60s, [Fran] worked through the schematic, correcting a few issues here and there, and eventually brought the voice of Sputnik back to life.

If you think we’ve covered Sputnik’s rebirth before, you may be thinking about our article on how some hams rebuilt Sputnik’s guts from a recently uncovered Soviet-era schematic. [Fran]’s project just reproduces the sound of Sputnik — no license required!

Continue reading “Model Sputnik Finds Its Voice After Decades Of Silence”

ESP32’s Freedom Output Lets You Do Anything

April 24, 2017 by 39 Comments

The ESP32 is Espressif’s new wonder-chip, and one of the most interesting aspects of its development has been the almost entirely open-source development strategy that they’re taking. But the “almost” in almost entirely open is important — there are still some binary blobs in the system, and some of them are exactly where a hacker wouldn’t want them to be. Case in point: the low-level WiFi firmware.

So that’s where [Jeija]’s reverse engineering work steps in. He’s managed to decode enough of a function called ieee80211_freedom_output to craft and send apparently arbitrary WiFi data and management frames, and to monitor them as well.

This ability is insanely useful for a WiFi device. With low-level access like this, one can implement custom protocols for mesh networking, low-bandwidth data transfers, or remove the requirement for handshaking entirely. One can also spam a system with so many fake SSIDs that it crashes, deauth everyone, or generally cause mayhem. Snoop on your neighbors, or build something new and cool: with great power comes great responsibility.

Anyway, we reported on [Jeija]’s long distance hack and the post may have read like it was all about the antenna, but that vastly underestimates the role played by this firmware reverse-engineering hack. Indeed, we’re so stoked about the hack that we thought it was worth reiterating: the ESP32 is now a WiFi hacker’s dream.

Hackaday Prize Entry: MCXY – Mini Laser Cut Aluminum 3D Printer

April 24, 2017 by 11 Comments

With the easy availability of cheap and 3D printers from the usual Chinese websites, you might think that there could be little room for another home-made 3D printer project. fortunately, the community of 3D printer making enthusiasts doesn’t see it that way.

[Bobricius] has a rather nice 3D printer design in the works that we think you’ll like. It follows the MakerBot/Ultimaker style of construction in that it is a box rather than a gantry, and it is assembled from CNC-cut aluminum for a sturdy and pleasing effect. Whar sets it apart though is its size, at only 190x190x251mm and with an 80x80x80mm print volume, it’s tiny. You might wonder why that could be an asset, but when you consider that he already has a much larger printer it becomes obvious that something small and portable for quick tiny prints could be an asset.

Unusually for a home-made 3D printer, it has no 3D printed parts, instead, it is laser cut throughout. And also unusually all the CAD work was done in EAGLE, better known for PCB work. It’s a work in progress we’re featuring today because it’s a Hackaday Prize entry, but it looks as though the finished item will be something of a little gem.

Homemade 3D printers can be particularly impressive, for example, we’ve shown you this excellent SLA printer.

The HackadayPrize2017 is Sponsored by:

Steve Evans Passes Away, Leaves An Inspiring Legacy

April 24, 2017 by 28 Comments

It is with great sadness that Hackaday learns of the passing of Steve Evans. He was one of the creators of Eyedrivomatic, the eye-controlled wheelchair project which was awarded the Grand Prize during the 2015 Hackaday Prize.

News of Steve’s passing was shared by his teammate Cody Barnes in a project update on Monday. For more than a decade Steve had been living with Motor Neurone Disease (MND). He slowly lost the function of his body, but his mind remained intact throughout. We are inspired that despite his struggles he chose to spend his time creating a better world. Above you can see him test-driving an Eyedrivomatic prototype which is the blue 3D printed attachment seen on the arm of his chair.

The Eyedrivomatic is a hardware adapter for electric wheelchairs which bridges the physical controls of the chair with the eye-controlled computer used by people living with ALS/MND and in many other situations. The project is Open Hardware and Open Source Software and the team continues to work on making Eyedriveomatic more widely available by continuing to refine the design for ease of fabrication, and has even begun to sell kits so those who cannot build it themselves still have access.

The team will continue with the Eyedrivomatic project. If you are inspired by Steve’s story, now is a great time to look into helping out. Contact Cody Barnes if you would like to contribute to the project. Love and appreciation for Steve and his family may be left as comments on the project log.