Raspberry Pi RP2350-E9 Erratum Redefined As Input Mode Leakage Current

September 20, 2024 by Maya Posch 34 Comments

Although initially defined as an issue with GPIO inputs when configured with the internal pull-downs enabled, erratum RP2350-E9 has recently been redefined in the datasheet (page 1341) as a case of increased leakage current. As it is now understood since we previously reported, the issue occurs when a GPIO (0 – 47) is configured as input, the input buffer is enabled, and the pad voltage is somewhere between logic LOW and HIGH. In that case leakage current can be as high as 120 µA with IO_VDD = 3.3 V. This leakage current is too much for the internal pull-up to overcome, ergo the need for an external pull-down: 8.2 kΩ or less, per the erratum. Disabling the input buffer will stop the leakage current, but reading the input requires re-enabling the buffer.

GPIO Pad leakage for IOVDD=3.3 V (Credit: Raspberry Pi)

The upshot of this issue is that for input applications, the internal pull-downs are useless, and since PIO applications cannot toggle pad controls, the input buffer toggling workaround is not an option. ADC usage requires one to clear the GPIO input enable. In general any circuit that relies on floating pins or an internal pull-down resistor will be affected.

Although this should mean that the affected A2 stepping of the RP2350 MCU can still be used for applications where this is not an issue, and external pull-downs can be used as a ‘fix’ at the cost of extra power usage, it makes what should have been a drop-in replacement a troubled chip at best. At this point there have still been no definite statements from Raspberry Pi regarding a new (B0) stepping, leaving RP MCU users with the choice between the less flashy RP2040 and the buggy RP2350 for the foreseeable future.

Header: Thomas Amberg, CC BY-SA 2.0.

This Week In Security: Open Source C2, Raptor Trains, And End To End Encryption

September 20, 2024 by Jonathan Bennett 14 Comments

Open Source has sort of eaten everything in software these days. And that includes malware, apparently, with open source Command and Control (C2) frameworks like Sliver and Havoc gaining traction. And of course, this oddball intersection of Open Source and security has intrigued at least one security researcher who has found some interesting vulnerabilities.

Before we dive into what was found, you may wonder why open source malware tools exist. First off, trustworthy C2 servers are quite useful for researchers, who need access to such tools for testing. Then there is Red Teaming, where a security professional launches a mock attack against a target to test its defenses. A C2 is often useful for education and hobby level work, and then there are the true criminals that do use these Open Source tools. It takes all types.

A C2 system consists of an agent installed on compromised systems, usually aiming for stealth. These agents connect to a central server, sending information and then executing any instructions given. And finally there’s a client, which is often just a web interface or even a command line interface.

Now what sort of fun is possible in these C2 systems? Up first is Sliver, written in Go, with a retro command line interface. Sliver supports launching Metasploit on compromised hosts. Turns out, it accidentally supported running Metasploit modules against the server’s OS itself, leading to an easy remote shell from an authenticated controller account.

Havoc has a fancy user interface for the clients, and also a command injection flaw. A service name field gets used to generate a shell command, so you’re only a simple escape away from running commands. That’s not quite as useful as the API that failed open when a bad username/password was given. Oops. Continue reading “This Week In Security: Open Source C2, Raptor Trains, And End To End Encryption” →

COBB Tuning Hit With $2.9 Million Fine Over Emissions Defeat Devices

September 20, 2024 by Maya Posch 110 Comments

Recently, the EPA and COBB Tuning have settled after the latter was sued for providing emissions control defeating equipment. As per the EPA’s settlement details document, COBB Tuning have since 2015 provided customers with the means to disable certain emission controls in cars, in addition to selling aftermarket exhaust pipes with insufficient catalytic systems. As part of the settlement, COBB Tuning will have to destroy any remaining device, delete any such features from its custom tuning software and otherwise take measures to fully comply with the Clean Air Act, in addition to paying a $2,914,000 civil fine.

The tuning of cars has come a long way from the 1960s when tweaking the carburetor air-fuel ratios was the way to get more power. These days cars not only have multiple layers of computers and sensor systems that constantly monitor and tweak the car’s systems, they also have a myriad of emission controls, ranging from permissible air-fuel ratios to catalytic converters. It’s little surprise that these systems can significantly impact the raw performance one might extract from a car’s engine, but if the exhaust of nitrogen-oxides and other pollutants is to be kept within legal limits, simply deleting these limits is not a permissible option.

COBB Tuning proclaimed that they weren’t aware of these issues, and that they never marketed these features as ’emission controls defeating’. They were however aware of issues regarding their products, which is why they announced ‘Project Green Speed’ in 2022, which supposedly would have brought COBB into compliance. Now it would seem that the EPA did find fault despite this, and COBB was forced to making adjustments.

Although perhaps not as egregious as modifying diesel trucks to ‘roll coal’, federal law has made it abundantly clear that if you really want to have fun tweaking and tuning your car without pesky environmental laws getting in the way, you could consider switching to electric drivetrains, even if they’re mind-numbingly easy to make performant compared to internal combustion engines.

2024 Hackaday Superconference Speakers, Round One

September 17, 2024 by Elliot Williams 6 Comments

Supercon is the Ultimate Hardware Conference and you need to be there! We’ve got a stellar slate of speakers this year — way too many to feature in one post. So here’s your first taste, and a reminder that Supercon will sell out so get your tickets now before it’s too late.

In addition to the full-length talks, we’ve got a series of Lightning Talks, so if you want to share seven minutes’ of insight with everyone there, please register your Lightning Talk idea now.

But Supercon has a lot more than just talks! The badge heavily features Supercon Add-Ons, and we want to see the awesome SAOs you are working on. There will be prizes, and we’ll manufacture four of our favorite designs in small batches for the winners, and make a full run for Hackaday Europe in 2025. Want to know more about SAOs? They’re the ideal starter PCB project.

Continue reading “2024 Hackaday Superconference Speakers, Round One” →

A person examines a diamond with a loupe.

We’ll Take DIY Diamond Making For $200,000

September 16, 2024 by Kristina Panos 12 Comments

They say you can buy anything on the Internet if you know the right places to go, and apparently if you’re in the mood to make diamonds, then Alibaba is the spot. You even have your choice of high-pressure, high-temperature (HPHT) machine for $200,000, or a chemical vapor deposition (CVD) version, which costs more than twice as much. Here’s a bit more about how each process works.

A sea of HPHT diamond-making machines. — A sea of HPHT machines. Image via Alibaba

Of course, you’ll need way more than just the machine and a power outlet. Additional resources are a must, and some expertise would go a long way. Even so, you end up with raw diamonds that need to be processed in order to become gems or industrial components.

For HPHT, you’d also need a bunch of good graphite, catalysts such as iron and cobalt, and precise control systems for temperature and pressure, none of which are included as a kit with the machine.

For CVD, you’d need methane and hydrogen gases, and precise control of microwaves or hot filaments. In either case, you’re not getting anywhere without diamond seed crystals.

Right now, the idea of Joe Hacker making diamonds in his garage seems about as far off as home 3D printing did in about 1985. But we got there, didn’t we? Hey, it’s a thought.

Main and thumbnail images via Unsplash

Watch NASA’s Solar Sail Reflect Brightly In The Night Sky

September 15, 2024 by Donald Papp 14 Comments

NASA’s ACS3 (Advanced Composite Solar Sail System) is currently fully deployed in low Earth orbit, and stargazers can spot it if they know what to look for. It’s actually one of the brightest things in the night sky. When the conditions are right, anyway.

What conditions are those? Orientation, mostly. ACS3 is currently tumbling across the sky while NASA takes measurements about how it acts and moves. Once that’s done, the spacecraft will be stabilized. For now, it means that visibility depends on the ACS’s orientation relative to someone on the ground. At it’s brightest, it appears as bright as Sirius, the brightest star in the night sky.

ACS3 is part of NASA’s analysis and testing of solar sail technology for use in future missions. Solar sails represent a way of using reflected photons (from sunlight, but also possibly from a giant laser) for propulsion.

This perhaps doesn’t have much in the way of raw energy compared to traditional thrusters, but offers low cost and high efficiency (not to mention considerably lower complexity and weight) compared to propellant-based solutions. That makes it very worth investigating. Solar sail technology aims to send a probe to Alpha Centauri within the next twenty years.

Want to try to spot ACS3 with your own eyes? There’s a NASA app that can alert you to sighting opportunities in your local time and region, and even guide you toward the right region of the sky to look. Check it out!

Five colors of Cast21 on five different wrists.

Cast21 Brings Healing Into 2024

September 14, 2024 by Kristina Panos 16 Comments

It takes but an ill-fated second to break a bone, and several long weeks for it to heal in a cast. And even if you have one of those newfangled fiberglass casts, you still can’t get the thing wet, and it’s gonna be itchy under there because your skin can’t breathe. Isn’t it high time for something better?

Enter Cast21, co-founded by Chief Technical Officer [Jason Troutner], who has been in casts more than 50 times due to sports injuries and surgeries. He teamed up with a biomedical design engineer and an electrical engineer to break the norms associated with traditional casts and design a new solution that addresses their drawbacks.

So, how does it work already? The latticework cast is made from a network of silicone tubes that harden once injected with resin and a catalyst mixture. It takes ten seconds to fill the latticework with resin and three minutes for it to cure, and the whole process is much faster than plaster or fiberglass.

This new cast can be used along with electrical stimulation therapy, which can reduce healing time and prevent muscle atrophy.

Cast21 is not only breathable, it’s also waterproof, meaning no more trash bags on your arm to take a shower. The doctor doesn’t even need a saw to remove it, just cut in two places along the seam. It can even be used as a splint afterward.

It’s great to see advancements in simple medical technologies like the cast. And it looks almost as cool as this 3D-printed exoskeleton cast we saw ten years ago.

Thanks to [Keith Olson] for the tip!