What Every PCB Designer Needs To Know About Track Impedance With Eric Bogatin

September 12, 2022 by Dave Rowntree 7 Comments

PCB design starts off being a relatively easy affair — you create a rectangular outline, assign some component footprints, run some traces, and dump out some Gerber files to send to the fab. Then as you get more experienced and begin trying harder circuits, dipping into switching power supplies, high speed digital and low noise analog, things get progressively more difficult; and we haven’t even talked about RF or microwave design yet, where things can get just plain weird from the uninitiated viewpoint. [Robert Feranec] is no stranger to such matters, and he’s teamed up with one of leading experts (and one of this scribe’s personal electronics heroes) in signal integrity matters, [Prof. Eric Bogatin] for a deep dive into the how and why of controlled impedance design.

RG58 cable construction. These usually are found in 50 Ω and less commonly these days 75Ω variants

One interesting part of the discussion is why is 50 Ω so prevalent? The answer is firstly historical. Back in the 1930s, coaxial cables needed for radio applications, were designed to minimize transmission loss, using reasonable dimensions and polyethylene insulation, the impedance came out at 50 Ω. Secondarily, when designing PCB traces for a reasonable cost fab, there is a trade-off between power consumption and noise immunity.

As a rule of thumb, lowering the impedance increases noise immunity at the cost of more power consumption, and higher impedance goes the other way. You need to balance this with the resulting trace widths, separation and overall routing density you can tolerate.

Another fun story was when Intel were designing a high speed bus for graphical interfaces, and created a simulation of a typical bus structure and parameterized the physical constants, such as the trace line widths, dielectric thickness, via sizes and so on, that were viable with low-cost PCB fab houses. Then, using a Monte Carlo simulation to run 400,000 simulations, they located the sweet spot. Since the via design compatible with the cheap fab design rules resulted often in a via characteristic impedance that came out quite low, it was recommended to reduce the trace impedance from 100 Ω to 85 Ω differential, rather than try tweak the via geometry to bring it up to match the trace. Fun stuff!

We admit, the video is from the start of the year and very long, but for such important basic concepts in high speed digital design, we think it’s well worth your time. We certainly picked up a couple of useful titbits!

Now we’ve got the PCB construction nailed, why circle back and go check those cables?

Continue reading “What Every PCB Designer Needs To Know About Track Impedance With Eric Bogatin” →

MH-Z19-like NDIR CO2 Sensor HC8 Found And Explored

August 31, 2022 by Maya Posch 7 Comments

While on the search for an alternative to directly buying the fairly expensive MH-Z19 CO2 sensor, [spezifisch] came across a ‘BreeRainz’ branded gadget (also found under other brands) that claimed to use an NDIR (Non-Dispersive Infrared) sensor for measuring CO2 levels, while costing only €25. This type of sensor allows for CO2 levels to be measured directly, rather than inferred, making them significantly more precise.

The BreeRainz DM1308A device cracked open.

After cracking the gadget open (literally, due to the hidden screws), the CO2 sensor is clearly visible. While superficially identical to an MH-Z19, the NDIR sensor is actually called ‘HC8’, is produced by 广州海谷电子科技有限公司 (Guangzhou Haigu Electronic Technology Co., Ltd.). While being pin-compatible with the MH-Z19, its UART protocol is not the same. Fortunately there is a datasheet to help with implementing it, which is what [spezifisch] did.

This raises the question of whether harvesting NDIR CO2 sensors like this is worth it to save a few Euros. A quick look on German Amazon shows that the device in question currently costs €35, while a genuine MH-Z19 can be bought for €25 or less. There are also many MH-Z19 models (B, C and D), which cover an even wider price range. All of which points to finding an NDIR sensor-containing device can be interesting when it’s on sale, but if all you care about is the sensor itself, it’s probably best to just buy them directly.

A multimeter connected to the EEPROM chip with crocodile clips, showing that there's a 0.652V diode drop between GND and one of the IO pins

Dead EPROM Dumped With Help Of Body Diodes

August 26, 2022 by Arya Voronova 9 Comments

[Jason P], evidently an enjoyer of old reliable laser printing tech, spilled a drink (nitter) onto his Panasonic KX-P5400 SideWriter. After cleanup, everything worked fine — except that the PSU’s 5 V became 6.5 V during the accident, and the EPROM with LocalTalk interface firmware died, connection between VCC and GND seemingly interrupted inside the chip. Understandably, [Jason] went on Twitter, admitted the error of his ways, and sheepishly asked around for EPROM dumps.

Instead, [Manawyrm] wondered — would the chip have anti-ESD body diodes from GND to IO pins, by any chance? A diode mode multimeter check confirmed, yes! It was time for an outlandish attempt to recover the firmware. [Manawyrm] proposed that [Jason] connect all output pins but one to 5 V, powering the EPROM through the internal VCC-connected body diodes – reading the contents one bit at a time and then, combining eight dumps into a single image.

After preparing a TL866 setup, one hour of work and some PHP scripting later, the operation was a success. Apparently, in certain kinds of cases, dead ROM chips might still tell their tales! It’s not quite clear what happened here. The bond wires looked fine, so who knows where the connection got interrupted – but we can’t deny the success of the recovery operation! Need a primer on dumping EPROMs that are not dead? Here you go.

Continue reading “Dead EPROM Dumped With Help Of Body Diodes” →

Everything You Didn’t Know You Need To Know About Glitching Attacks

August 25, 2022 by Dan Maloney 1 Comment

If you’ve always been intrigued by the idea of performing hardware attacks but never knew where to start, then we’ve got the article for you: an in-depth look at the hows and whys of hardware glitching.

Attentive readers will recall that we’ve featured [Matthew Alt]’s reverse engineering exploits before, like the time he got root on a Linux-based arcade cabinet. For something a bit more challenging, he chose a Trezor One crypto wallet this time. We briefly covered a high-stakes hack (third item) on one of these wallets by [Joe Grand] a while back, but [Matthew] offers much, much more detail.

After introducing the theory of glitching attacks, which seek to force a processor into an undefined state using various methods, [Matthew] discusses the specifics of the Trezor wallet and how the attack was planned.

His target — the internal voltage regulator of the wallet’s STM32 microcontroller — required desoldering a few caps before the attack could begin, which was performed with a ChipWhisperer. After resolving a few initial timing issues, he was able to glitch the chip into dropping to the lowest level of readout protection, which gave access to the dongle’s SRAM through an ST-Link debugger.

While this summary may make the whole thing sound trivial, it’s obvious that the attack was anything but, nor was the effort that went into writing it all up. The whole thing reads a little like a techno-thriller, and there’s plenty of detail there if you’re looking for a tutorial on chip glitching. We’re looking forward to part 2, which will concentrate on electromagnetic fault-injection using a PicoEMP and what looks like a modified 3D printer.

Why Didn’t We Think Of Making A Remote Trigger Button?

August 21, 2022 by Jenny List 44 Comments

One of the many functions a digital oscilloscope offers over its analog ancestors is a trigger button. Alongside the usual electronic means of triggering the instrument, you can reach over and press a button to “freeze-frame” the action and preserve the trace. Sometimes doing it repeatedly it can become a chore to reach for the ‘scope. That’s where [Kevin Santo Cappuccio]’s remote trigger button comes in.

The button itself is about as simple a hack as it gets. The ‘scope was carefully dissected and some fine wires laid from the contacts within the front panel to a connector on the case. From there a cable goes to a box with a momentary action button switch. Plug in the box, and you can trigger the ‘scope from a distance!

We have to admit to rather admiring this hack, as needing to trigger the ‘scope is a well-known problem here. It’s easy to stab the wrong button and lose what you are looking for, so we’re rather surprised we didn’t think of this one ourselves. But then again from another viewpoint, it involves dissecting an expensive instrument which is best left unmolested. Perhaps manufacturers should consider adding this functionality.

This may be the most straightforward oscilloscope hack we’ve shown you, but it’s certainly not the first.

A Fast Linear Actuator Entirely In One PCB

August 10, 2022 by Jenny List 18 Comments

There are many ways to make a linear actuator, a device for moving something is a straight line. Most of the easier to make ones use a conventional motor and a mechanical linkage such as a rack and pinion or a lead screw, but [Ben Wang] has gone for something far more elegant. His linear actuator uses a linear motor, a linear array of coils for the motor phases, working against a line of magnets. Even better than that, he’s managed to make the whole motor out of a single PCB. And it’s fast!

This represents something of an engineering challenge, because achieving the required magnetic field from the relatively few turns possible on a PCB is no easy task. He’s done it by using a four-layer board to gather enough turns for the required magnetic field, and a simple view of the board doesn’t quite convey what lies beneath.

PCB motors are perhaps one of those areas where the state of the art is still evolving, and the exciting part is that their limits are being pushed right there in our community. And this isn’t the only linear motor we’ve seen recently either, here’s one used in a model train.

E-paper Price Tags Combined To Create A Large Wireless Display

August 5, 2022 by Danie Conradie 3 Comments

E-paper price tags have become popular for retail stores over the past few years, which is great for hackers since we now have some more cheap commodity hardware to play with. [Aaron Christophel] went all on creating grid displays with E-paper price tags, up to a 20×15 grid.

E-paper price tags are great for these kinds of projects, since they are wireless, lightweight, and can last a long time with the onboard batteries. To mount the individual tags on the plywood backboard,[Aaron] simply glued Velcro to the backboard of the tags. The displays’ firmware is based on the reverse engineering work of [Dmitry Grinberg], flashed to a few hundred tags using a convenient 3D printed pogo pin programming jig. All the displays are controlled via a Zigbee USB dongle plugged into a PC running station software.

[Aaron] is also experimenting with the displays removed from their enclosure and popped into a 3D printed grid frame. The disadvantage is the loss of the battery holders and the antenna, which are both integrated into the enclosure. He plans to get around this by powering the displays from a single large battery, and connecting an ESP32 to the displays via ISP or UART.

This project comes hot on the heels of another E-ink grid display project that uses Bluetooth and a rather clever update scheme.

Continue reading “E-paper Price Tags Combined To Create A Large Wireless Display” →