Slider

4835 Articles

This Week In Security: GhostWrite, Localhost, And More

August 9, 2024 by 5 Comments

You may have heard some scary news about RISC-V CPUs. There’s good news, and bad news, and the whole thing is a bit of a cautionary tale. GhostWrite is a devastating vulnerability in a pair of T-Head XuanTie RISC-V CPUs. There are also unexploitable crashes in another T-Head CPU and the QEMU soft core implementation. These findings come courtesy of a group of researchers at the CISPA Helmholtz Center for Information Security in Germany. They took at look at RISC-V cores, and asked the question, do any of these instructions do anything unexpected? The answer, obviously, was “yes”.

Undocumented instructions have been around just about as long as we’ve had Van Neumann architecture processors. The RISC-V ISA put a lampshade on that reality, and calls them “vendor specific custom ISA extensions”. The problem is that vendors are in a hurry, have limited resources, and deadlines wait for no one. So sometimes things make it out the door with problems. To find those problems, CISPA researchers put together a test framework is called RISCVuzz, and it’s all about running each instruction on multiple chips, and watching for oddball behavior. They found a couple of “halt-and-catch-fire” problems, but the real winner (loser) is GhostWrite.

Now, this isn’t a speculative attack like Meltdown or Spectre. It’s more accurate to say that it’s a memory mapping problem. Memory mapping helps the OS keep programs independent of each other by giving them a simplified memory layout, doing the mapping from each program to physical memory in the background. There are instructions that operate using these virtual addresses, and one such is vs128.v. That instruction is intended to manipulate vectors, and use virtual addressing. The problem is that it actually operates directly on physical memory addresses, even bypassing cache. That’s not only memory, but also includes hardware with memory mapped addresses, entirely bypassing the OS. This instruction is the keys to the kingdom. Continue reading “This Week In Security: GhostWrite, Localhost, And More”

Raspberry Has A New Pico, Built With The New RP2350

August 8, 2024 by 130 Comments

Raspberry Pi’s first foray into the world of microcontrollers, the RP2040, was a very interesting chip. Its standout features were the programmable input/output units (PIOs) which enabled all sorts of custom real-time shenanigans. And that’s not to discount the impact of the Pi Pico, the $4 dev kit built around it.

Today, they’re announcing a brand-new microcontroller: the RP2350. It will come conveniently packaged in the new Pi Pico 2, and there’s good news and bad news. The good news is that the new chip is better in every way, and that the Pico form factor will stay the same. The bad news? It’s going to cost 25% more, coming in at $5. But in exchange for the extra buck, you get a lot.

For starters, the RP2350 runs a bit faster at 150 MHz, has double the on-board RAM at 520 kB, and twice as much QSPI flash at 4 MB. And those sweet, sweet PIOs? Now it has 12 instead of just 8. (Although we have no word yet if there is more program space per PIO – even with the incredibly compact PIO instruction set, we always wanted more!)

Two flavors on the same chip: Arm and RISC

As before, it’s a dual-core chip, but now the cores are Arm Cortex M33s or RISC-V Hazard3s. Yes, you heard that right, there are two pairs of processors on board. Raspberry Pi says that you’ll be able to select which style of cores runs either by software or by burning one-time fuses. So it’s not a quad core chip, but rather your choice of two different dual cores. Wild!

Raspberry Pi is also making a big deal about the new Arm TrustZone functionality. It has signed boot, 8 kB of OTP key-storage memory, SHA-256 acceleration, a hardware RNG, and “fast glitch detectors”. While this is probably more aimed at industry than at the beginning hacker, we’re absolutely confident that some of you out there will put this data-safe to good use.

There is, as of yet, no wireless built in. We can’t see into the future, but we can see into the past, and we remember that the original Pico was wireless for a few months before they got the WiFi and Bluetooth radio added into the Pico W. Will history repeat itself with the Pico 2?

We’re getting our hands on a Pico 2 in short order, and we’ve already gotten a sneak peek at the extensive software toolchain that’s been built out for it. All the usual suspects are there: Picotool, TinyUSB, and OpenOCD as we write this. We’ll be putting it through its paces and writing up all the details next week.

Illustrated Kristina with an IBM Model M keyboard floating between her hands.

Keebin’ With Kristina: The One With The KiCad Plugin

August 8, 2024 by 2 Comments

A low-profile split keyboard with a sliding, round track pad on each half.
Image by [fata1err0r81] via reddit
The most striking feature of the Tenshi keyboard has to be those dual track pads. But then you notice that [fata1err0r81] managed to sneak in two extra thumb keys on the left, and that those are tilted for comfort and ease of actuation.

The name Tenshi means ‘angel’ in Japanese, and creator [fata1err0r81] says that the track pads are the halos. Each one slides on a cool 3D-printed track that’s shaped like a half dovetail joint, which you can see it closer in this picture.

Tenshi uses a pair of RP2040 Zeros as controllers and runs QMK firmware. The track pads are 40 mm each and come from Cirque. While the Cirques have been integrated into QMK, the pull request for ZMK has yet to be merged in. And about those angled keys — [fata1err0r81] says they tried risers, but the tilting feels like less effort. Makes total sense to me, but then again I’m used to a whole keyboard full of tilted keys.

Continue reading “Keebin’ With Kristina: The One With The KiCad Plugin”

FLOSS Weekly Episode 795: Liferay, Now We’re Thinking With Portals

August 7, 2024 by No comments

This week Jonathan Bennett and Doc Searls chat with Olaf Kock and Dave Nebinger about Liferay! That’s a Java project that started as an implementation of a web portal, and has turned into a very flexible platform for any sort of web application. How has this Open Source project turned into a very successful business? And how is it connected to most iconic children’s educational show of all time? Listen to find out!

Continue reading “FLOSS Weekly Episode 795: Liferay, Now We’re Thinking With Portals”

I2C For Hackers: The Basics

August 7, 2024 by 51 Comments

You only really need two data wires to transfer a ton of data. Standards like UART, USB2, I2C, SPI, PS/2, CAN, RS232, SWD (an interface to program MCUs), RS485, DMX, and many others, all are a testament to that. In particular, I2C is such a powerful standard, it’s nigh omnipresent – if you were to somehow develop an allergy to I2C, you would die.

Chances are, whatever device you’re using right now, there’s multiple I2C buses actively involved in you reading this article. Your phone’s touchscreen is likely to use I2C, so is your laptop touchpad, most display standards use I2C, and power management chips are connected over I2C more often than not, so you’re covered even if you’re reading this on a Raspberry Pi! Basically everything “smart” has an I2C port, and if it doesn’t, you can likely imitate it with just two GPIOs.

If you’re building a cool board with a MCU, you should likely plan for having an I2C interface exposed. With it, you can add an LCD screen with a respectable resolution or a LED matrix, or a GPS module, a full-sized keyboard or a touchpad, a gesture sensor, or a 9 degree of freedom IMU – Inertial Measurement Unit, like a accelerometer+compass+gyroscope combination. A small I2C chip can help you get more GPIOs for your MCU or CPU, or a multi-channel motor driver, or a thermal camera, or a heap of flash memory; if you’re adding some sort of cool chip onto your board, it likely has an I2C interface to let you fine-tune its fancy bits.

As usual, you might have heard of I2C, and we sure keep talking about it on Hackaday! There’s a good few long-form articles about it too, both general summaries and cool tech highlights; this article is here to fill into some gaps and make implicit knowledge explicit, making sure you’re not missing out on everything that I2C offers and requires you to know!

Continue reading “I2C For Hackers: The Basics”

Tickets For Supercon 2024 Go On Sale Now!

August 6, 2024 by 10 Comments

Tickets for the 2024 Hackaday Supercon are on sale now! Go and get yours while they’re still hot. True-Believer Tickets are half-price at $148 (plus fees), and when that pile of 100 is gone, regular admission is $296 (plus fees).

Come join us on November 1st-3rd in sunny Pasadena, CA, for three days of talks, demos, badge hacking, workshops, and the sort of miscellaneous hardware shenanigans that make Hackaday Hackaday! If you’ve never been to a Supercon, now is the best time to check that off your bucket list. And if you’re a seven-time veteran, we’re stoked to see you again. Supercon is like a year’s worth of posts in one weekend. You don’t want to miss it.

Friday, November 1st, is our chill-out day. You can roll in as soon as the doors open in the morning, get your badge and some bagels, and get down to hacking. Or you can start socializing early. Or, as it almost always happens, both at once. We’ll have food and music and even a few workshops, but for the most part, Fridays are what you all make of them. And we love it that way.

Talks start up on Saturday on both stages, along with the soldering contest and an alley full of hackers. We’ll close out the evening with a special celebration, but more on that in a minute.

On Sunday, in addition to the usual slate of talks, we’ve set aside a big block of time for Lightning Talks. These are seven-minute quickies where you get to tell the bigger Hackaday community what you’re up to. A short talk like this forces you to condense the story down to its essence while giving tons of people their fifteen minutes of fame in half the time! If you’ve got a Lightning Talk that you’d like to present, let us know! We’ll try to fit in everyone we can.

Wrapping up Sunday evening, we’ll give you a chance to show off whatever badge hacks you’ve been working on over the weekend. We love the badge hacking demo because it allows us to see a wide (and wild) range of projects, all of which were put together in record time. Whether funny, flashy, or phenomenal, we want to see what you’ve been up to. Continue reading “Tickets For Supercon 2024 Go On Sale Now!”

Hack On Self: Sense Of Time

August 6, 2024 by 49 Comments

Every now and then, a commercial product aims to help you in your life journey, in a novel way, making your life better through its presence. Over the years, I’ve been disappointed by such products far more often than I have been reassured, seeing each one of them rendered unimaginative and purposeless sometimes even despite the creator’s best intentions. The pressures of a commercial market will choke you out without remorse, metal fingers firmly placed on your neck, tightening with every move that doesn’t promise profit, and letting money cloud your project’s vision. I believe that real answers can only come from within hacker communities, and as we explore, you might come to see it the same way.

This is the tip of the iceberg of a decade-long project that I hope to demonstrate in a year or two. I’d like to start talking about that project now, since it’s pretty extensive; the overall goal is about using computers to help with human condition, on a personal level. There’s a lot of talk about computers integrating into our lives – even more if you dare consult old sci-fi, much of my inspiration.

Tackling a gigantic problem often means cutting it down into smaller chunks, though, so here’s a small sub-problem I’ve been working on, for years now, on and off: Can you use computers to modify your sense of time?

Continue reading “Hack On Self: Sense Of Time”