ZPB30A1 Electronic Load gets an Open Firmware

Importing cheap equipment and test gear is something of a mixed blessing. It allows you to outfit your lab without emptying your bank account, but on the other hand there’s usually a reason it’s cheap. Of course, the retail price of a piece of hardware shouldn’t be the metric by which we measure its quality, but there’s got to be a few corners cut someplace when they are selling this stuff for a fraction of what the name brands are charging.

A perfect example is the ZHIYU ZPB30A1 electronic load, available from various online importers for about $30 USD. While the price is right for an adjustable load that can handle up to 110 W, it’s got some pretty glaring shortcomings. In an effort to address at least some of those issues, [Luca Zimmermann] has been working on an open source replacement firmware for the load’s STM8S microcontroller.

[Luca] quickly discovered that the device’s STM8S005K6 chip is write protected, so unfortunately you can’t just flash a new firmware to it. If you want to unlock additional features, you need to perform a brain transplant. Luckily these chips are quite cheap, and you can probably add a couple of them to your cart when you order he ZPB30A1.

With the new GPLv3 licensed firmware installed, the device gains constant power and resistances modes (stock firmware can only do constant current), serial logging, and support for adjusting the value of the shunt resistor. There’s even a basic menu system to shuffle through the new modes. There’s still a couple features that haven’t been implemented, such as automatic shutdown, but it’s already a considerable upgrade from the stock software. Now we just need some details on the slick custom enclosure that [Luca] has put his upgraded ZPB30A1 into.

If this looks too easy, you can always go the DIY Arduino route for your load testing needs, or build a monster than can sink up to 1 kW.

[Thanks to Benik3 for the tip.]

Resuming Failed 3D Prints Automatically

What happens to your 3D printer if the power goes out? What happens if there’s a jam in the nozzle? What happens if your filament breaks, runs out, or turns into a plate of spaghetti? For all these situations, the print fails, wasting plastic and time. For his Hackaday Prize entry, [robert] has come up with a tiny device that saves all those failed prints, and it does it without batteries or a UPS.

The idea behind [robert]’s box is to monitor all the G-code being sent to the printer, and allow a print to be resumed after a failure. The design is simple enough — just a USB mini port on one end, a USB A port on the other, and three buttons in between. This box logs the G-code, and if the printer happens to fail, the box will spring into life allowing you to resume a print from any Z position.

Already [robert] has tested this box on a number of printers including the Prusa i3, the Creality CR-10, and the ever-popular, explodey Anet A8. The project has already gone through a few hardware revisions and there is, of course, a fancy 3D printed enclosure for the board. It’s a great project, and one of the more interesting 3D printing tools we’ve seen in this year’s Hackaday Prize.

Unbricking A 3D Printer The Hard Way: By Writing a Bootloader

There’s a sinking feeling when a firmware upgrade to a piece of equipment goes wrong. We’ve all likely had this happen and  bricked a device or two. If we are lucky we can simply reapply the upgrade or revert to a previous version, and if we’re unlucky we have to dive into a serial debug port to save the device from the junk pile. But what happens when both those routes fail? If you are [Arko], you reverse-engineer the device and write your own bootloader for it.

The offending bricked object was a Monoprice MP Mini Delta 3D printer to which he was foolhardy enough to apply new firmware after seeing a friend’s machine taking it without issue. Finding the relevant debug interface on its main PCB he applied the firmware upgrade again, only to realise that in doing so he had overwritten its bootloader. The machine seemed doomed, but he wasn’t ready to give up.

What follows in his write-up is a detailed examination of the boot mechanism and memory map of an ARM Cortex M0 processor as found in the Monoprice’s STM32F070CB. We learn about vector tables for mapping important addresses of interrupts and execution points, and the mechanics of a bootloader in setting up the application it launches. This section is well worth a read on its own, even for those with no interest in bricked 3D printers.

In the end he had a working bootloader to which he appended the application firmware, but sadly when he powered up the printer there was still no joy. The problem was traced to the serial connection between the ARM doing the printer’s business and the ESP8266 running its display. After a brainstorm suggestion with a friend, a piece of code was found which would set the relevant registers to allow it to run at the correct speed.

So after a lot of work that resulted in this fascinating write-up, there was a working 3D printer. He suggests that mere mortals try asking Monoprice for a replacement model if it happens to their printers, but we’re extremely glad he persevered. Without it we would never have had this fascinating write-up, and would be the poorer without the learning experience.

This isn’t the first time we’ve brought you 3D printer bootloader trickery.

We’re Using the Word Firmware Wrong

I had an interesting discussion the other day about code written for an embedded system. I was speaking with Voja Antonic about ‘firmware’. The conversation continued forward but I noticed that he was calling it ‘software’. We later discussed it and Voja told me he thought only the parts of the code directly interacting with the microcontroller were firmware; the rest falls under the more generic term of software. It really had me wondering where firmware stops being firmware and is merely software?

The topic has remained on my mind and I finally got around to doing some dictionary searches. I’m surprised that I’ve been using the word differently and I think most of the people I’ve heard use it are doing the same — at least as far as dictionary definitions are concerned. My go to sources are generally Merriam-Webster and Oxford English dictionaries and both indicate that firmware is a type of software that is indelible:

Permanent software programmed into a read-only memory.

computer programs contained permanently in a hardware device (such as a read-only memory)

According to this definition, I have never written a single bit of firmware. Everything I have written has been embedded software. But surely this is a term that must change with the times as technology progress so I kept digging.

Continue reading “We’re Using the Word Firmware Wrong”

Injecting Code Into Mouse Firmware Should Be Your Next Hack

Here’s a DEF CON talk that uses tools you likely have and it should be your next hacking adventure. In their Saturday morning talk [Mark Williams] and [Rob Stanely] walked through the process of adding their own custom code to a gaming mouse. The process is a crash course in altering a stock firmware binary while still retaining the original functionality.

The jumping off point for their work is the esports industry. The scope of esporting events has blown up in recent years. The International 2016 tournament drew 17,000 attendees with 5 million watching online. The prize pool of $20 million ($19 million of that crowdfunded through in-game purchases) is a big incentive to gain a competitive edge to win. Contestants are allowed to bring their own peripherals which begs the questions: can you alter a stock gaming mouse to do interesting things?

The steelseries Sensei mouse was selected for the hack because it has an overpowered mircocontroller: the STM32F103CB. With 128 KB of flash the researchers guessed there would be enough extra room for them to add code. STM32 chips are programmed over ST-Link, which is available very inexpensively through the ST Discovery boards. They chose the STM32F4DISCOVERY which runs around  $20.

Perhaps the biggest leap in this project is that the firmware wasn’t read-protected. Once the data, clock, and ground pads on the underside of the board were connected to the Discovery board the firmware was easy to dump and the real fun began.

They first looked through the binary for a large block of zero values signifying unused space in flash. The injected firmware is designed to enumerate as a USB keyboard, open Notepad, then type out, save, and execute a PowerShell script before throwing back to the stock firmware (ensuring the mouse would still function as a mouse). Basically, this builds a USB Rubber Ducky into stock mouse firmware.

There are a few useful skills that make taking on this project a worthwhile learning experience. To compile your custom code correctly you need to choose the correct offset address for where it will end up once pasted into the firmware binary. The vector table of the original code must be rewritten to jump to the injected code first, and it will need to jump back to the mouse execution once it has run. The program flow on the left shows this. Both of these jumps require the program counter and registers to be saved and restored. The ARM stack is subtractive and the address will need to be updated to work with the added code.

The talk ended with a live demo that worked like a charm. You can check out the code in the MDHomeBrew repo. In this case the PowerShell script adds keyboard shortcuts for DOOM cheats. But like we said before, the experience of getting under the hood with the firmware binary is where the value will be for most people. With this success under your belt you can take on more difficult challenges like [Sprite_TM’s] gaming keyboard hack where the firmware couldn’t easily be dumped and an update binary was quite obsfucated.

Open Source Firmware For Hoverboards

2015 was two years ago, and to the surprise of many, we actually had hoverboards at the time. Of course, these weren’t Back to the Future-style hovering skateboards; they were crappy two-wheeled balancing scooters that suffered a few battery explosions and were eventually banned from domestic flights by some carriers. But oh boy, there were some funny Vines of these things.

While the rest of the world moved on from hoverboards, [Casainho] has been working on Open Sourcing the firmware for these interesting bits of electronics and motors. Now, his work is wrapping up and he has new firmware for electric unicycles and hoverboards.

The popular and cheap electric unicycles and hoverboards that have been swimming across the Pacific from the great land of Ali Baba for the past five years are based around a single, cheap controller board. This controller board is built around the STM32F1038T6 microcontroller, and are able to control a pair of three-phase brushless motors. The teardown began on the electric unicycle forum and was completely documented in a GitHub repo.

The Open Source firmware is now mostly complete, although the necessary self-balancing function doesn’t work. We’re thinking that’s alright; with this new firmware, these electric unicycles have a crazy amount of torque and could be the basis for a few very cool builds. You can check out a video of this torque below.

If two wheels seems far too safe, exercise your inner daredevil with a 3D printed unicycle conversion for a hoverboard.

Continue reading “Open Source Firmware For Hoverboards”

Blob-less Raspberry Pi Linux Is A Step Closer

The Raspberry Pi single board computer has been an astounding success since its launch nearly five years ago, to the extent that as of last autumn it had sold ten million units with no sign of sales abating. It has delivered an extremely affordable and pretty powerful computer into the hands of hobbyists, youngsters, hackers, engineers and thousands of other groups, and its open-source Raspbian operating system has brought a useful Linux environment to places we might once have thought impossible.

The previous paragraph, we have to admit, is almost true. The Pi has sold a lot, it’s really useful and lots of people use it, but is Raspbian open-source? Not strictly. Because the Broadcom silicon that powers the Pi has a significant amount of proprietary tech that the chipmaker has been unwilling to let us peer too closely at, each and every Raspberry Pi operating system has shipped with a precompiled binary blob containing the proprietary Broadcom code, and of course that’s the bit that isn’t open source. It hasn’t been a problem for most Pi users as it’s understood to be part of the trade-off that enabled the board’s creators to bring it to us at an affordable price back in 2012, but for open-source purists it’s been something of a thorn in the side of the little board from Cambridge.

This is not to say that all is lost on the blob-free Pi front. Aided by a partial pulling back of the curtain of secrecy by Broadcom in 2014, work has quietly been progressing, and we now have the announcement from [Kristina Brooks] that a minimal Linux kernel can boot from her latest open firmware efforts. You won’t be booting a blob-free Raspbian any time soon as there are bugs to fix and USB, DMA, and video hardware has still to receive full support, but it’s a significant step. We won’t pretend to be Broadcom firmware gurus as we’re simply reporting the work, but if it’s your specialty you can find the code in its GitHub repository. Meanwhile, we look forward to future progress on this very interesting project.

We reported on the partial Broadcom release back in 2014. At the time, the Raspberry Pi people offered a prize to the first person running a native Quake III game on their hardware, sadly though they note the competition is closed they haven’t linked to the winning entry.