Viewing Countrywide Weather At A Glance

May 3, 2020 by Tom Nardi 5 Comments

For his latest project, weather display aficionado [Richard] has put together a handsome little device that shows the temperatures recorded at nine different airports located all over the British Isles. Of course the concept could be adapted to wherever it is that you call home, assuming there are enough Internet-connected weather stations in the area to fill out the map.

The electronics are fairly minimal, consisting of a NodeMCU ESP8266 development board, a few seven segment LED display modules, and a simple power supply knocked together on a scrap of perfboard. As you might expect, the code is rather straightforward as well. It just needs to pull down the temperatures from an online API and light up the displays. What makes this project special is the presentation.

As [Richard] shows in the video after the break, the key is a sheet of acrylic that’s been sanded so it diffuses the light of 42 LEDs that have been painstakingly installed in holes drilled around the edge of the sheet. Combined with a printed overlay sheet, this illuminates the map and its legend in low-light conditions. It’s a simple technique that not only looks fantastic, but makes the display easy to read day or night. Definitely a tip worth mentally filing away, as it has plenty of possible applications outside of this particular build.

With his projects, [Richard] has shown himself to be a master of unique and data-rich weather displays, and a great lover of the iconic seven segment LED display. While his particular brand of climate data overload might not be for everyone, you’ve got to admire his knack for visualizing data.

Continue reading “Viewing Countrywide Weather At A Glance” →

Chat Cat Waves On Slack @

May 2, 2020 by Kristina Panos 2 Comments

Isolated as we are by national lockdowns and statewide stay-at-home orders, many coworkers are more connected than ever before through oddly-named productivity/chat programs such as Slack. But those notifications flying in from the sidebar all the time are are oh-so-annoying and anti-productive. Ignoring requests for your attention will only make them multiply. So how do you make the notifications bearable?

[Mr. Tom] wrote in to tell us about his solution, which involves a maneki-neko — one of those good luck cats that wave slowly and constantly thanks to a solar-powered electromagnetic pendulum. Now whenever [Mr. Tom] has an incoming message, the cat starts waving gently over on the corner of his desk. It’s enough movement to be noticeable, but not annoying.

An ESP32 inside the kitty looks at incoming messages and watches for [Mr. Tom]’s user ID, prioritizing messages where he has been mentioned directly. This kitty is smart, too. As soon as the message is dealt with, the data pin goes low again, and the cat can take a nap for a while.

The natural state of the maneki-neko is pretty interesting, as we saw in this teardown a few years back.

Using An FPGA To Glitch The Olimex LPC-P1343

April 30, 2020 by Sharon Lin 2 Comments

After trying out hardware hacking using an FPGA to interface with target hardware, [Grazfather] was inspired to try using the iCEBreaker (one of the many hobbyist FPGAs to have recently flooded the market) to build a UART-controllable glitcher for the Olimex LPC-P1343.

FPGA Modules (The **cmd** module intercepts what the host computer sends over UART, the **resetter** holds the reset line until the target is reset, the **delay** starts counting on reset and waits for a configured number of cycles before sending its signal, the **trigger** waits for the delay to finish before telling the pulse module to send a pulse, and the **pulse** works similar to the delay module and outputs to the power multiplexer.)

When the target board boots up, the bootROM reads the flash and determines whether the UART goes to a shell and if the shell can be used to read out the flash. This is meant for developing firmware and debugging it in the bootloader, only flashing a version when the firmware is production-ready. The vulnerability is that only a specific value read from address 0x2FC and the state of a few pins can lock the bootloader in the expected way, and any other value at the address causes the bootROM to consider the device unlocked. Essentially, the mechanism is the opposite of how a lock ought to work.

The goal is to get the CPU to misread the flash at the precise moment it is meant to be reading the specific value, then jumping to the bootloader in the unlocked state. The FPGA can be used as a tool between the host machine and target board, communicating via UART. The FGPA can support configuring the delay between resetting the target board and pulsing a ‘glitch voltage’, as well as resetting the target board and activating the glitch. The primary reasons for using the FPGA over a different microcontroller are that the FPGA allows for precise timing (83.3ns precision) and removes worries about jitters (a Raspberry Pi might have side effects from OS scheduling and other processes and microcontrollers might have interrupts messing up the timing).

To simulate the various modules, [Grazfather] used Icarus Verilog as well as GTKWave to observe the waveforms generated. A separate logic analyzer observes the effects on real hardware.

With enough time, it is possible to brute force any combination of delay and width until you get a dump of the flash you’re not meant to read. You can check out how the width of the pulse gets wider until the max, when the delay is incremented and the width values are tried again.

Continue reading “Using An FPGA To Glitch The Olimex LPC-P1343” →

Get Your Microcontroller Online At The Speed Of Light

April 28, 2020 by Tom Nardi 33 Comments

When developing a network-enabled project with the ESP8266 or ESP32, the easiest way to handle WiFi credentials is to just hardcode the access point and encryption key into the program. But that means recompiling the firmware if you ever want to use it on a different network, which isn’t really an option if you’re trying to make something that other people can easily use. If you’re expecting grandma to bust out the UART cable, we’ve got bad news for you.

There are various ways around this problem, but we think the one developed by [Pekka Lehtikoski] is particularly clever. With a simple application, network credentials can be literally “flashed” to the waiting microcontroller by rapidly blinking the flash LED on an Android device. This allows the information to be transferred quickly and easily regardless of the user’s technical proficiency. One could even make the argument that it’s more secure than some of the other methods of doing initial setup, since an eavesdropper would literally need to see you do it if they wanted to steal your encryption key.

[Pekka] has made the source code for the Android application and the “Gazerbeam” library open for anyone who wants to include the capability in their own projects. To pick up the blinking light you just need to add a phototransistor, an opamp, and a handful of passives to your circuit; making this solution cheap enough that you could even use it in a small-scale production run. The concept isn’t limited to network credentials either. Whenever we can hold conferences again, it could be an interesting way to let attendees customize their badge.

Of course, [Pekka] isn’t the first person to use this trick. Hackers well versed in the history of WiFi MCUs may recall that the Electric Imp used a very similar method of configuration called BlinkUp. If you ever come across a device that asks you to put your phone’s screen down on a little window to perform the initial setup, there’s a good chance it has an Imp inside.

Instruction Set Hack For Protected Memory Access

April 27, 2020 by Inderpreet Singh 7 Comments

The nRF51 Series SoCs is a family of low power Bluetooth chips from Nordic Semiconductor that is based on ARM Cortex cores. The nRF51822 has the Cortex M0 core and is used in a lot of products. [Loren] has written a blog post in which he claims to be able to circumvent read back protection on the chip, thus giving access to the ROM, RAM and registers as well as allow for interactive debugging sessions.

The hack stems from the fact that the Serial Wire Debug or SWD interface cannot be completely disabled on these chips even if the Memory Protection Unit prevents access to any memory regions directly. The second key piece is the fact that CPU can fetch stuff from the code memory. Combined with the SWD super powers to make changes to the registers themselves, this can be a powerful tool.

Continue reading “Instruction Set Hack For Protected Memory Access” →

NEO430 Puts A Custom MSP430 Core In Your FPGA

April 27, 2020 by Sven Gregori 18 Comments

We are certainly spoiled by all the microcontroller options nowadays — which is a great problem to have. But between the good old 8-bit controllers and an increasing number of 32-bit varieties, it almost seems as if the 16-bit ones are slowly falling into oblivion. [stnolting] particularly saw an issue with the lack of 16-bit open source soft cores, and as a result created the NEO430, an MSP430 compatible soft processor written in VHDL that adds a custom microcontroller to your next FPGA project.

With high customization as main principle in mind, [stnolting] included a wide selection of peripherals and system features that can be synthesized as needed. Not limiting himself to the ones you would find in an off-the-shelf MSP430 controller, he demonstrates the true strength of open source soft cores. Do you need a random number generator, CRC calculation, and an SPI master with six dedicated chip select lines? No problem! He even includes a Custom Functions Unit that lets you add your own peripheral feature or processor extension.

However, what impresses most is all the work and care [stnolting] put into everything beyond the core implementation. From the C library and the collection of examples for each of the controller’s features, so you can get started out of the box with GCC’s MSP430 port, to writing a full-blown data sheet, and even setting up continuous integration for the entire repository. Each topic on its own is worth looking at, and the NEO430 offers a great introduction or reference for it.

Of course, there are some shortcomings as well, and the biggest downer is probably the lack of analog components, but that’s understandable considering your average FPGA’s building blocks. And well, it’s hard to compete with the MSP430’s ultra low-power design using an FPGA, so if you’re thinking of replicating this watch, you might be better off with a regular MSP430 from a battery lifetime point of view.

Custom Bluetooth Joystick In A Nunchuk Shell

April 26, 2020 by Tom Nardi 2 Comments

With the Wii’s unique controller, Nintendo not only provided new gaming experiences to players, but gave hardware hackers a platform for experimentation that’s still going strong. Case in point, this modification of a third party Wii “Nunchuk” by [Giliam de Carpentier] that turns the accessory into a stand-alone wireless controller powered by a ATtiny44A.

It turns out there’s a considerable amount of free space inside the Nunchuk case, so [Giliam] found adding in the new hardware wasn’t nearly as difficult as you might expect. Of course, it helps that the diminutive SMD ATtiny44A and its support hardware are housed on a very neatly milled PCB that attaches to the back of the original board.

Most of the other hardware comes in the form of modular components, like the Bluetooth transmitter and TP4056 charge controller for the 300 mAh battery. A micro USB charging port is mounted where the original Nunchuk cable entered the case, making the whole thing look very professional.

Even if you aren’t interested in making your own controller, [Giliam] covers many interesting topics in this write-up such as handling different methods of Bluetooth connectivity and various power management techniques to eke out as much life from the relatively small battery as possible. It’s not only a fascinating read, but a great example of what thorough project documentation should look like.

In the past we’ve seen Bluetooth conversions for the Wii Nunchuck, but traditionally they left the original electronics in place. On the other side of the spectrum, we’ve also seen the internals get replaced with something as powerful as the Raspberry Pi Zero.

Continue reading “Custom Bluetooth Joystick In A Nunchuk Shell” →