A TTL CPU, Minimising Its Chip Count

June 23, 2019 by Jenny List 19 Comments

By now we should all be used to the astonishing variety of CPUs that have come our way created from discrete logic chips. We’ve seen everything from the familiar Von Neumann architectures to RISC and ever transport-triggered architecture done in 74 TTL derivatives, and fresh designs remain a popular project for many people with an interest in the inner workings of a computer.

[Warren Toomey]’s CSCvon8 is an interesting machine that implements an 8-bit computer with a 64-bit address space using only 17 chips, and without resorting to any tricks involving microcontrollers. It implements a fairly conventional Von Neumann architecture using TTL with a couple of tricks that use modern chips but could have been done in the same way in decades past. Instruction microcode is stored in an EEPROM, and the ALU is implemented in a very large EPROM that would probably once have been eye-wateringly expensive. This in particular removes many discrete TTL chips from the total count, in the absence of the classic 74181 single-chip part. To make it useful there is 32k each of RAM and EEPROM, and also a UART for serial access. The whole is brought together on a neat PCB, and there is a pile of demo code to get started with. Everything can be found in the project’s GitHub repository.

At the start of this article we mentioned a couple of unconventional TTL CPUs. The transport triggered one we featured in 2017, and the RISC one is the Gigatron which has appeared here more than once.

This Week In Security: SACK Of Death, Rambleed, HIBP For Sale, And Oracle Weblogic — Again!

June 21, 2019 by Jonathan Bennett 13 Comments

Netflix isn’t the first name to come to mind when considering security research firms, but they make heavy use of FreeBSD in their content delivery system and do security research as a result. Their first security bulletin of the year, not surprisingly, covers a FreeBSD vulnerability that happens to also affect Linux kernels from the last 10 years. This vulnerability uses SACKs and odd MSS values to crash a server kernel.

To understand Selective ACKs, we need to step back and look at how TCP connections work. TCP connections provide guaranteed delivery, implemented in the from of ACKnowledgement (ACK) packets. We think of a TCP connection as having a dedicated ACK packet for every data packet. In reality, the Operating System makes great effort to avoid sending “naked” ACK packets, and combines multiple ACKs in a single packet. An ACK is simply a flag in a packet header combined with a running total of bytes received, and can be included in a normal data packet. As much as is possible, the ACK for data received is sent along with data packets flowing in the opposite direction. Continue reading “This Week In Security: SACK Of Death, Rambleed, HIBP For Sale, And Oracle Weblogic — Again!” →

Open Source Headset With Inside-Out Tracking, Video Passthrough

June 15, 2019 by Donald Papp 4 Comments

The folks behind the Atmos Extended Reality (XR) headset want to provide improved accessibility with an open ecosystem, and they aim to do it with a WebVR-capable headset design that is self-contained, 3D-printable, and open-sourced. Their immediate goal is to release a development kit, then refine the design for a wider release.

An early prototype of the open source Atmos Extended Reality headset.

The front of the headset has a camera-based tracking board to provide all the modern goodies like inside-out head and hand tracking as well as the ability to pass through video. The design also provides for a variety of interface methods such as eye tracking and 6 DoF controllers.

With all that, the headset gives users maximum flexibility to experiment with and create different applications while working to keep development simple. A short video showing off the modular design of the HMD and optical assembly is embedded below.

Extended Reality (XR) has emerged as a catch-all term to cover broad combinations of real and virtual elements. On one end of the spectrum are completely virtual elements such as in virtual reality (VR), and towards the other end of the spectrum are things like augmented reality (AR) in which virtual elements are integrated with real ones in varying ratios. With the ability to sense the real world and pass through video from the cameras, developers can choose to integrate as much or as little as they wish.

Terms like XR are a sign that the whole scene is still rapidly changing and it’s fascinating to see how development in this area is still within reach of small developers and individual hackers. The Atmos DK 1 developer kit aims to be released sometime in July, so anyone interested in getting in on the ground floor should read up on how to get involved with the project, which currently points people to their Twitter account (@atmosxr) and invites developers to their Discord server. You can also follow along on their newly published Hackaday.io page.

Continue reading “Open Source Headset With Inside-Out Tracking, Video Passthrough” →

This Week In Security: Use Emacs, Crash A Windows Server, And A Cryptocurrency Heist

June 14, 2019 by Jonathan Bennett 5 Comments

It looks like Al was right, we should all be using Emacs. On the 4th of June, [Armin Razmjou] announced a flaw in Vim that allowed a malicious text file to trigger arbitrary code execution. It’s not every day we come across a malicious text file, and the proof of concept makes use of a clever technique — escape sequences hide the actual payload. Printing the file with cat returns “Nothing here.” Cat has a “-v” flag, and that flag spills the secrets of our malicious text file. For simplicity, we’ll look at the PoC that doesn’t include the control characters. The vulnerability is Vim’s modeline function. This is the ability to include editor options in a text file. If a text file only works with 80 character columns, a modeline might set “textwidth=80”. Modeline already makes use of a sandbox to prevent the most obvious exploits, but [Armin] realized that the “:source!” command could run the contents of a file outside that sandbox. “:source! %” runs the contents of the current file — the malicious text file.

:!uname -a||" vi:fen:fdm=expr:fde=assert_fails("source\!\ \%"):fdl=0:fdt="

Taking this apart one element at a time, the “:!” is the normal mode command to run something in the shell, so the rest of the line is what gets run. “uname -a” is the arbitrary command, benign in this case. Up next is the OR operator, “||” which fully evaluates the first term first, and only evaluates what comes after the operator if the first term returns false. In this case, it’s a simple way to get the payload to run even though the rest of the line is garbage, as far as bash is concerned. “vi:” informs Vim that we have a modeline string. “:fen” enables folding, and “:fdm=expr” sets the folding method to use an expression. This feature is usually used to automatically hide lines matching a regular expression. “:fde=” is the command to set the folding expression. Here’s the exploit, the folding expression can be a function like “execute()” or “assert_fails()”, which allows calling the :source! command. This pops execution out of the sandbox, and begins executing the text file inside vim, just as if a user were typing it in from the keyboard. Continue reading “This Week In Security: Use Emacs, Crash A Windows Server, And A Cryptocurrency Heist” →

Something’s Fishy About This Computer

June 10, 2019 by Mike Szczys 10 Comments

Aquariums are amazingly beautiful displays of vibrant ocean life, or at least they can be. For a lot of people aquariums become frustrating chemistry battle to keep the ecosystem heathly and avoid a scummy cesspool where no fish want to be.

This hack sidesteps that problem, pulling off some of the most beautiful parts of a living aquarium, while keeping your gaming rig running nice and cool. That’s right, this tank is a cold mineral oil dip for a custom PC build.

It’s the second iteration [Frank Zhao] has built, with many improvements along the way. The first aquarium computer was shoe-horned inside of a very tiny aquarium — think the kind for Beta fish. It eventually developed a small crack that spread to a bigger one with a lot of mineral oil to clean up. Yuck. The new machine has a much larger tank and laser cut parts which is a step up from the hand-cut acrylic of the first version. This makes for a very nice top bezel that hangs the PC guts and provides unobtrusive input and output ports for the oil circulation. A radiator unit hidden out of sight cools the oil as it circulates through the system.

These are all nice improvements, but it’s the aesthetic of the tank itself that really make this one special. The first version was so cramped that a couple of sad plastic plants were the only decoration. But now the tank has the whole package, with coral, more realistic plants, a sunken submarine, and of course the treasure chest bubbler. Well done [Frank]!

This Week In Security: Nvidia, Ransomware Retirement, And A TOCTOU Bug In Docker

June 7, 2019 by Jonathan Bennett 2 Comments

Nvidia’s GeForce Experience (GFE) is the companion application for the Nvidia drivers, keeping said drivers up to date, as well as adding features around live streaming and media capture. The application runs as two parts, a GUI, and a system service, using an HTTP API to communicate. [David Yesland] from Rhino Security Labs decided to look into this API, searching for interesting, undocumented behavior, and shared the results on Sunday the 2nd.

The first interesting finding was that the service was written in Javascript and run using Node.js. Javascript is a scripting language, not a compiled language — the source code of the service was open for studying. This led to the revelation that API requests would be accepted from any origin, so long as the request included the proper security token. The application includes an update mechanism, which allows an authorized API call to execute an arbitrary system command. So long as the authentication token isn’t leaked to an attacker, this still isn’t a problem, right? Continue reading “This Week In Security: Nvidia, Ransomware Retirement, And A TOCTOU Bug In Docker” →

C.H.I.P. Or Z.O.M.B.I.E? We Can’t Decide

June 4, 2019 by Jenny List 58 Comments

Imagine for a moment that you are back in 2015. Radio Shack are going to the wall, Heathkit returning from the dead, and Arduino spliting into two warring Arduinos. And someone has announced a tiny Linux-capable microprocessor board called the C.H.I.P. that will cost only $9. We all thought that last one was pretty cool at the time, didn’t we. Then Heathkit’s new products turned out to be pretty lacklustre, the warring Arduinos merged, and the C.H.I.P? The consensus was that $9 was a tall order for that BoM at the time, and then the Raspberry Pi people gave away a free Pi Zero on the front of a magazine before selling it for £5 ($6.30). It didn’t matter that the C.H.I.P. had a nifty all-in-one screen and keyboard combo called the Pocket C.H.I.P. which was a significant object of desire, the venture lasted for three years before finally hitting the rocks last year.

Now the C.H.I.P. is back, in a crowdfunding campaign fronted by one of its original engineers. It’s been renamed the Popcorn, and it comes in three variants. The Original Popcorn is a compatible C.H.I.P. by any other name, while the Super Popcorn is a much higher-spec machine that comes in quad and octacore variants with AmiLogic SoCs. All three have 32 GB eMMC on board, and the specs are suitably impressive but not out of the ordinary for a 2019 single board computer. Prices are $49, $69, and $89, which takes away that optimistic $9 price tag that made the original so attractive. There is no Pocket C.H.I.P. which is a shame because for us that was the only reason to buy a C.H.I.P, but there is a companion board called the Stovetop that provides Raspberry Pi-style desktop and display interfaces.

We wish them well, but it’s difficult to escape the conclusion that the hardware world has moved on and the window of opportunity has closed. It’s not that these boards are not good ones, more that they now join a plethora of others which come a lot closer to the low price of the original. Still, there remains a C.H.I.P. community still out there, so perhaps that will save the day for them.

We interviewed the C.H.I.P.’s creators back in 2015, and marked its passing last year.

Thanks [Rose] for the tip.