Supercon Badge Hardware Hacking: Here’s What to Bring

October 25, 2018 by Roger Cheng 29 Comments

Hackaday Superconference is just a week away (precious few tickets remain), a celebration of all things Hackaday, which naturally includes creative projects making the most of their hardware. Every attendee gets a platform for hacking in the form of the conference badge.

To make the most of your badge hacking fun, plan ahead so you will have the extra components and the tools you need. At the most basic, bring along a serial to USB cable and a PIC programmer. These are common and if you don’t own them, ask around and you will likely be able to borrow them. Now is also the time to put in a parts order for any components you want to use but don’t have on hand!

The badge is hackable without any extras, but it’s designed for adding hardware and hacking the firmware. We’re excited to see what you can do with it. We gave an overview of this retro themed pocket computer a few days ago, today we’re inviting you to exploit its potential for your hardware hacks.

Continue reading “Supercon Badge Hardware Hacking: Here’s What to Bring” →

I2C Bootloader for ATtiny85 Lets Other Micros Push Firmware Updates

October 20, 2018 by Donald Papp 14 Comments

There are a few different ways of getting firmware onto one of AVR’s ATtiny85 microcontrollers, including bootloaders that allow for firmware to be updated without the need to plug the chip into a programmer. However, [casanovg] wasn’t satisfied with those so he sent us a tip letting us know he wrote an I2C bootloader for the ATtiny85 called Timonel. It takes into account a few particulars of the part, such as the fact that it lacks a protected memory area where a bootloader would normally reside, and it doesn’t have a native I2C interface, only the USI (Universal Serial Interface). He’s just released the first functional version for the ATtiny85, but there’s no reason it couldn’t be made to work with the ATtiny45 and ATtiny25 as well.

Timonel is designed for systems where there is a more powerful microcontroller or microprocessor running the show (such as an ESP8266, Arduino, or even a board like a Raspberry Pi.) In designs where the ATtinys are on an I2C bus performing peripheral functions such as running sensors, Timonel allows the firmware for these peripheral MCUs to be updated directly from the I2C bus master. Embedded below is a video demo of [casanovg] sending simple serial commands, showing a successful firmware update of an AVR ATtiny85 over I2C.

Continue reading “I2C Bootloader for ATtiny85 Lets Other Micros Push Firmware Updates” →

ZPB30A1 Electronic Load gets an Open Firmware

September 6, 2018 by Tom Nardi 29 Comments

Importing cheap equipment and test gear is something of a mixed blessing. It allows you to outfit your lab without emptying your bank account, but on the other hand there’s usually a reason it’s cheap. Of course, the retail price of a piece of hardware shouldn’t be the metric by which we measure its quality, but there’s got to be a few corners cut someplace when they are selling this stuff for a fraction of what the name brands are charging.

A perfect example is the ZHIYU ZPB30A1 electronic load, available from various online importers for about $30 USD. While the price is right for an adjustable load that can handle up to 110 W, it’s got some pretty glaring shortcomings. In an effort to address at least some of those issues, [Luca Zimmermann] has been working on an open source replacement firmware for the load’s STM8S microcontroller.

[Luca] quickly discovered that the device’s STM8S005K6 chip is write protected, so unfortunately you can’t just flash a new firmware to it. If you want to unlock additional features, you need to perform a brain transplant. Luckily these chips are quite cheap, and you can probably add a couple of them to your cart when you order he ZPB30A1.

With the new GPLv3 licensed firmware installed, the device gains constant power and resistances modes (stock firmware can only do constant current), serial logging, and support for adjusting the value of the shunt resistor. There’s even a basic menu system to shuffle through the new modes. There’s still a couple features that haven’t been implemented, such as automatic shutdown, but it’s already a considerable upgrade from the stock software. Now we just need some details on the slick custom enclosure that [Luca] has put his upgraded ZPB30A1 into.

If this looks too easy, you can always go the DIY Arduino route for your load testing needs, or build a monster than can sink up to 1 kW.

[Thanks to Benik3 for the tip.]

Resuming Failed 3D Prints Automatically

April 13, 2018 by Brian Benchoff 24 Comments

What happens to your 3D printer if the power goes out? What happens if there’s a jam in the nozzle? What happens if your filament breaks, runs out, or turns into a plate of spaghetti? For all these situations, the print fails, wasting plastic and time. For his Hackaday Prize entry, [robert] has come up with a tiny device that saves all those failed prints, and it does it without batteries or a UPS.

The idea behind [robert]’s box is to monitor all the G-code being sent to the printer, and allow a print to be resumed after a failure. The design is simple enough — just a USB mini port on one end, a USB A port on the other, and three buttons in between. This box logs the G-code, and if the printer happens to fail, the box will spring into life allowing you to resume a print from any Z position.

Already [robert] has tested this box on a number of printers including the Prusa i3, the Creality CR-10, and the ever-popular, explodey Anet A8. The project has already gone through a few hardware revisions and there is, of course, a fancy 3D printed enclosure for the board. It’s a great project, and one of the more interesting 3D printing tools we’ve seen in this year’s Hackaday Prize.

Unbricking A 3D Printer The Hard Way: By Writing a Bootloader

March 13, 2018 by Jenny List 33 Comments

There’s a sinking feeling when a firmware upgrade to a piece of equipment goes wrong. We’ve all likely had this happen and bricked a device or two. If we are lucky we can simply reapply the upgrade or revert to a previous version, and if we’re unlucky we have to dive into a serial debug port to save the device from the junk pile. But what happens when both those routes fail? If you are [Arko], you reverse-engineer the device and write your own bootloader for it.

The offending bricked object was a Monoprice MP Mini Delta 3D printer to which he was foolhardy enough to apply new firmware after seeing a friend’s machine taking it without issue. Finding the relevant debug interface on its main PCB he applied the firmware upgrade again, only to realise that in doing so he had overwritten its bootloader. The machine seemed doomed, but he wasn’t ready to give up.

What follows in his write-up is a detailed examination of the boot mechanism and memory map of an ARM Cortex M0 processor as found in the Monoprice’s STM32F070CB. We learn about vector tables for mapping important addresses of interrupts and execution points, and the mechanics of a bootloader in setting up the application it launches. This section is well worth a read on its own, even for those with no interest in bricked 3D printers.

In the end he had a working bootloader to which he appended the application firmware, but sadly when he powered up the printer there was still no joy. The problem was traced to the serial connection between the ARM doing the printer’s business and the ESP8266 running its display. After a brainstorm suggestion with a friend, a piece of code was found which would set the relevant registers to allow it to run at the correct speed.

So after a lot of work that resulted in this fascinating write-up, there was a working 3D printer. He suggests that mere mortals try asking Monoprice for a replacement model if it happens to their printers, but we’re extremely glad he persevered. Without it we would never have had this fascinating write-up, and would be the poorer without the learning experience.

This isn’t the first time we’ve brought you 3D printer bootloader trickery.

We’re Using the Word Firmware Wrong

September 29, 2017 by Mike Szczys 123 Comments

I had an interesting discussion the other day about code written for an embedded system. I was speaking with Voja Antonic about ‘firmware’. The conversation continued forward but I noticed that he was calling it ‘software’. We later discussed it and Voja told me he thought only the parts of the code directly interacting with the microcontroller were firmware; the rest falls under the more generic term of software. It really had me wondering where firmware stops being firmware and is merely software?

The topic has remained on my mind and I finally got around to doing some dictionary searches. I’m surprised that I’ve been using the word differently and I think most of the people I’ve heard use it are doing the same — at least as far as dictionary definitions are concerned. My go to sources are generally Merriam-Webster and Oxford English dictionaries and both indicate that firmware is a type of software that is indelible:

Permanent software programmed into a read-only memory.

–Oxford English Dictonary

computer programs contained permanently in a hardware device (such as a read-only memory)

–Merriam-Webster Dictonary

According to this definition, I have never written a single bit of firmware. Everything I have written has been embedded software. But surely this is a term that must change with the times as technology progress so I kept digging.

Continue reading “We’re Using the Word Firmware Wrong” →

Injecting Code Into Mouse Firmware Should Be Your Next Hack

July 29, 2017 by Mike Szczys 18 Comments

Here’s a DEF CON talk that uses tools you likely have and it should be your next hacking adventure. In their Saturday morning talk [Mark Williams] and [Rob Stanely] walked through the process of adding their own custom code to a gaming mouse. The process is a crash course in altering a stock firmware binary while still retaining the original functionality.

The jumping off point for their work is the esports industry. The scope of esporting events has blown up in recent years. The International 2016 tournament drew 17,000 attendees with 5 million watching online. The prize pool of $20 million ($19 million of that crowdfunded through in-game purchases) is a big incentive to gain a competitive edge to win. Contestants are allowed to bring their own peripherals which begs the questions: can you alter a stock gaming mouse to do interesting things?

The steelseries Sensei mouse was selected for the hack because it has an overpowered mircocontroller: the STM32F103CB. With 128 KB of flash the researchers guessed there would be enough extra room for them to add code. STM32 chips are programmed over ST-Link, which is available very inexpensively through the ST Discovery boards. They chose the STM32F4DISCOVERY which runs around $20.

Perhaps the biggest leap in this project is that the firmware wasn’t read-protected. Once the data, clock, and ground pads on the underside of the board were connected to the Discovery board the firmware was easy to dump and the real fun began.

They first looked through the binary for a large block of zero values signifying unused space in flash. The injected firmware is designed to enumerate as a USB keyboard, open Notepad, then type out, save, and execute a PowerShell script before throwing back to the stock firmware (ensuring the mouse would still function as a mouse). Basically, this builds a USB Rubber Ducky into stock mouse firmware.

There are a few useful skills that make taking on this project a worthwhile learning experience. To compile your custom code correctly you need to choose the correct offset address for where it will end up once pasted into the firmware binary. The vector table of the original code must be rewritten to jump to the injected code first, and it will need to jump back to the mouse execution once it has run. The program flow on the left shows this. Both of these jumps require the program counter and registers to be saved and restored. The ARM stack is subtractive and the address will need to be updated to work with the added code.

The talk ended with a live demo that worked like a charm. You can check out the code in the MDHomeBrew repo. In this case the PowerShell script adds keyboard shortcuts for DOOM cheats. But like we said before, the experience of getting under the hood with the firmware binary is where the value will be for most people. With this success under your belt you can take on more difficult challenges like [Sprite_TM’s] gaming keyboard hack where the firmware couldn’t easily be dumped and an update binary was quite obsfucated.