Future Brings CPU Modules, And The Future Is Now

Modularity is a fun topic for us. There’s something satisfying about seeing a complex system split into parts and these parts made replaceable. We often want some parts of our devices swapped, after all – for repair or upgrade purposes, and often, it’s just fun to scour eBay for laptop parts, equipping your Thinkpad with the combination of parts that fits you best. Having always been fascinated by modularity, I believe that hackers deserve to know what’s been happening on the CPU module front over the past decade.

A Youtube thumbnail showing a Thinpad in the background with "Not Garbage" written over its keyboard, and one more keyboard overlaid onto the picture with "garbage" written on that one.
This “swap your Thinkpad keyboard” video thumbnail captures a modularity-enabled sentiment many can relate to.

We’ve gotten used to swapping components in desktop PCs, given their unparalleled modularity, and it’s big news when someone tries to split a yet-monolithic concept like a phone or a laptop into modules. Sometimes, the CPU itself is put into a module. From the grandiose idea of Project Ara, to Intel’s Compute Card, to Framework laptop’s standardized motherboards, companies have been trying to capitalize on what CPU module standardization can bring them.

There’s some hobbyist-driven and hobbyist-friendly modular standards, too – the kind you can already use to wrangle a powerful layout-demanding CPU and RAM combo and place it on your simple self-designed board. I’d like to tell you about a few notable modular CPU concepts – their ideas, complexities, constraints and stories. As you work on that one ambitious project of yours – you know, the one, – it’s likely you will benefit a lot from such a standard. Or, perhaps, you’ll find it necessary to design the next standard for others to use – after all, we all know there’s never too few standards! Continue reading “Future Brings CPU Modules, And The Future Is Now”

What Every PCB Designer Needs To Know About Track Impedance With Eric Bogatin

PCB design starts off being a relatively easy affair — you create a rectangular outline, assign some component footprints, run some traces, and dump out some Gerber files to send to the fab. Then as you get more experienced and begin trying harder circuits, dipping into switching power supplies, high speed digital and low noise analog, things get progressively more difficult; and we haven’t even talked about RF or microwave design yet, where things can get just plain weird from the uninitiated viewpoint. [Robert Feranec] is no stranger to such matters, and he’s teamed up with one of leading experts (and one of this scribe’s personal electronics heroes) in signal integrity matters, [Prof. Eric Bogatin] for a deep dive into the how and why of controlled impedance design.

RG58 cable construction. These usually are found in 50 Ω and less commonly these days 75Ω variants

One interesting part of the discussion is why is 50 Ω so prevalent? The answer is firstly historical. Back in the 1930s, coaxial cables needed for radio applications, were designed to minimize transmission loss, using reasonable dimensions and polyethylene insulation, the impedance came out at 50 Ω. Secondarily, when designing PCB traces for a reasonable cost fab, there is a trade-off between power consumption and noise immunity.

As a rule of thumb, lowering the impedance increases noise immunity at the cost of more power consumption, and higher impedance goes the other way. You need to balance this with the resulting trace widths, separation and overall routing density you can tolerate.

Another fun story was when Intel were designing a high speed bus for graphical interfaces, and created a simulation of a typical bus structure and parameterized the physical constants, such as the trace line widths, dielectric thickness, via sizes and so on, that were viable with low-cost PCB fab houses. Then, using a Monte Carlo simulation to run 400,000 simulations, they located the sweet spot. Since the via design compatible with the cheap fab design rules resulted often in a via characteristic impedance that came out quite low, it was recommended to reduce the trace impedance from 100 Ω to 85 Ω differential, rather than try tweak the via geometry to bring it up to match the trace. Fun stuff!

We admit, the video is from the start of the year and very long, but for such important basic concepts in high speed digital design, we think it’s well worth your time. We certainly picked up a couple of useful titbits!

Now we’ve got the PCB construction nailed, why circle back and go check those cables?

Continue reading “What Every PCB Designer Needs To Know About Track Impedance With Eric Bogatin”

MH-Z19-like NDIR CO2 Sensor HC8 Found And Explored

While on the search for an alternative to directly buying the fairly expensive MH-Z19 CO2 sensor, [spezifisch] came across a ‘BreeRainz’ branded gadget (also found under other brands) that claimed to use an NDIR (Non-Dispersive Infrared) sensor for measuring CO2 levels, while costing only €25. This type of sensor allows for CO2 levels to be measured directly, rather than inferred, making them significantly more precise.

The BreeRainz DM1308A device cracked open.
The BreeRainz DM1308A device cracked open.

After cracking the gadget open (literally, due to the hidden screws), the CO2 sensor is clearly visible. While superficially identical to an MH-Z19, the NDIR sensor is actually called ‘HC8’, is produced by 广州海谷电子科技有限公司 (Guangzhou Haigu Electronic Technology Co., Ltd.). While being pin-compatible with the MH-Z19, its UART protocol is not the same. Fortunately there is a datasheet to help with implementing it, which is what [spezifisch] did.

This raises the question of whether harvesting NDIR CO2 sensors like this is worth it to save a few Euros. A quick look on German Amazon shows that the device in question currently costs €35, while a genuine MH-Z19 can be bought for €25 or less. There are also many MH-Z19 models (B, C and D), which cover an even wider price range. All of which points to finding an NDIR sensor-containing device can be interesting when it’s on sale, but if all you care about is the sensor itself, it’s probably best to just buy them directly.

A multimeter connected to the EEPROM chip with crocodile clips, showing that there's a 0.652V diode drop between GND and one of the IO pins

Dead EPROM Dumped With Help Of Body Diodes

[Jason P], evidently an enjoyer of old reliable laser printing tech, spilled a drink (nitter) onto his Panasonic KX-P5400 SideWriter. After cleanup, everything worked fine — except that the PSU’s 5 V became 6.5 V during the accident, and the EPROM with LocalTalk interface firmware died, connection between VCC and GND seemingly interrupted inside the chip. Understandably, [Jason] went on Twitter, admitted the error of his ways, and sheepishly asked around for EPROM dumps.

Instead, [Manawyrm] wondered — would the chip have anti-ESD body diodes from GND to IO pins, by any chance? A diode mode multimeter check confirmed, yes! It was time for an outlandish attempt to recover the firmware. [Manawyrm] proposed that [Jason] connect all output pins but one to 5 V, powering the EPROM through the internal VCC-connected body diodes – reading the contents one bit at a time and then, combining eight dumps into a single image.

After preparing a TL866 setup, one hour of work and some PHP scripting later, the operation was a success. Apparently, in certain kinds of cases, dead ROM chips might still tell their tales! It’s not quite clear what happened here. The bond wires looked fine, so who knows where the connection got interrupted – but we can’t deny the success of the recovery operation! Need a primer on dumping EPROMs that are not dead? Here you go.

Continue reading “Dead EPROM Dumped With Help Of Body Diodes”

Everything You Didn’t Know You Need To Know About Glitching Attacks

If you’ve always been intrigued by the idea of performing hardware attacks but never knew where to start, then we’ve got the article for you: an in-depth look at the hows and whys of hardware glitching.

Attentive readers will recall that we’ve featured [Matthew Alt]’s reverse engineering exploits before, like the time he got root on a Linux-based arcade cabinet. For something a bit more challenging, he chose a Trezor One crypto wallet this time. We briefly covered a high-stakes hack (third item) on one of these wallets by [Joe Grand] a while back, but [Matthew] offers much, much more detail.

After introducing the theory of glitching attacks, which seek to force a processor into an undefined state using various methods, [Matthew] discusses the specifics of the Trezor wallet and how the attack was planned.

His target — the internal voltage regulator of the wallet’s STM32 microcontroller — required desoldering a few caps before the attack could begin, which was performed with a ChipWhisperer. After resolving a few initial timing issues, he was able to glitch the chip into dropping to the lowest level of readout protection, which gave access to the dongle’s SRAM through an ST-Link debugger.

While this summary may make the whole thing sound trivial, it’s obvious that the attack was anything but, nor was the effort that went into writing it all up. The whole thing reads a little like a techno-thriller, and there’s plenty of detail there if you’re looking for a tutorial on chip glitching. We’re looking forward to part 2, which will concentrate on electromagnetic fault-injection using a PicoEMP and what looks like a modified 3D printer.

Why Didn’t We Think Of Making A Remote Trigger Button?

One of the many functions a digital oscilloscope offers over its analog ancestors is a trigger button. Alongside the usual electronic means of triggering the instrument, you can reach over and press a button to “freeze-frame” the action and preserve the trace. Sometimes doing it repeatedly it can become a chore to reach for the ‘scope. That’s where [Kevin Santo Cappuccio]’s remote trigger button comes in.

The button itself is about as simple a hack as it gets. The ‘scope was carefully dissected and some fine wires laid from the contacts within the front panel to a connector on the case. From there a cable goes to a box with a momentary action button switch. Plug in the box, and you can trigger the ‘scope from a distance!

We have to admit to rather admiring this hack, as needing to trigger the ‘scope is a well-known problem here. It’s easy to stab the wrong button and lose what you are looking for, so we’re rather surprised we didn’t think of this one ourselves. But then again from another viewpoint, it involves dissecting an expensive instrument which is best left unmolested. Perhaps manufacturers should consider adding this functionality.

This may be the most straightforward oscilloscope hack we’ve shown you, but it’s certainly not the first.

A Fast Linear Actuator Entirely In One PCB

There are many ways to make a linear actuator, a device for moving something is a straight line. Most of the easier to make ones use a conventional motor and a mechanical linkage such as a rack and pinion or a lead screw, but [Ben Wang] has gone for something far more elegant. His linear actuator uses a linear motor, a linear array of coils for the motor phases, working against a line of magnets. Even better than that, he’s managed to make the whole motor out of a single PCB. And it’s fast!

This represents something of an engineering challenge, because achieving the required magnetic field from the relatively few turns possible on a PCB is no easy task. He’s done it by using a four-layer board to gather enough turns for the required magnetic field, and a simple view of the board doesn’t quite convey what lies beneath.

PCB motors are perhaps one of those areas where the state of the art is still evolving, and the exciting part is that their limits are being pushed right there in our community. And this isn’t the only linear motor we’ve seen recently either, here’s one used in a model train.