Hackaday Links: May 24, 2020

May 24, 2020 by Dan Maloney 56 Comments

We’re saddened to learn of the passing of Gershon Kingsley in December 2019 at the age of 97. The composer and electronic music pioneer was not exactly a household name, but the things he did with the Moog synthesizer, especially the surprise hit “Pop Corn”, which he wrote in 1969, are sure to be familiar. The song has been covered dozens of times, in the process of which the spelling of the name changed to “Popcorn.” We’re most familiar with the 1972 cover by Hot Butter, an earworm from our youth that doesn’t hide the Moog as deeply in the backing instruments as Kingsley did in the original. Or, perhaps you prefer the cover done by a robotic glockenspiel, because robotic glockenspiel.

A few months back, we covered the audacious plan to recover the radio gear from the Titanic. At the time, the potential salvors, Atlanta-based RMS Titanic, Inc., were seeking permission to cut into the submerged remains of the Titanic‘s Marconi room to remove as much of the wireless gear as possible. A federal judge granted permission for the salvage operation last Friday, giving the company the green light to prepare an expedition for this summer. The US government, through the National Oceanic and Atmospheric Administration and the National Park Service, argued strenuously to leave the wreck be and treat it as a tomb for the 1,527 victims. For our part, we had a great discussion about the merits in the comments section of the previous article. Now that it’s a done deal, we’d love to hear what you have to say about this again.

Although life appears to be slowly returning to what passes for normal, that doesn’t mean you might not still have some cycles to spare, especially when the time spent can bolster your skillset. And so if you’re looking to adding FPGAs to your resume, check out this remote lab on FPGA vision systems offered by Bonn-Rhein-Sieg University. The setup allows you to watch lectures, download code examples, and build them on your local computer, and then upload the resulting binaries to real hardware running on the lab’s servers in Germany. It sounds like a great way to get access to FPGA hardware that you’d otherwise have a hard time laying hands on. Or, you know, you could have just come to the 2019 Hackaday Superconference.

Speaking of skill-builders, oscilloscope owners who want to sharpen their skills could do worse than to listen to the advice of a real scope jockey like Allen Wolke. He recently posted a helpful video listing the five most common reasons for your scope giving “wrong” voltage readings. Spoiler alert: the instrument is probably doing exactly what you told it to do. As a scope newbie, we found the insights very helpful, and we can imagine even seasoned users could make simple mistakes like using the wrong probe attenuation or forgetting that scope response isn’t flat across its bandwidth.

Safety tip for the gearheads among us: your jack stands might be unsafe to use. Harbor Freight, the stalwart purveyor of cheap tools, has issued a recall of two different models of its jack stands. It seems that the pawls can kick out under the right conditions, sending the supported load crashing to the ground. This qualifies as a Very Bad Day for anyone unlucky enough to be working underneath when it happens. Defective jack stands can be returned to Harbor Freight for store credit, so check your garage and be safe out there in the shop.

And finally, because everyone loves a good flame war, Ars Technica has come up with a pronunciation guide for common tech terms. We have to admit that most of these are not surprising; few among the technology literate would mispronounce “Linux” or “sudo”. We will admit to a non-fanboy level of ignorance on whether the “X” in “iOS X” was a Roman numeral or not, but learning that the “iOS” part is correctly pronounced as three syllables, not two was a bit shocking. It’s all an exercise in pedantry that reminds us of a mildly heated discussion we had around the secret Hackaday writers’ bunker and whether “a LED” or “an LED” is the correct style. If the Internet was made for anything, it was stuff like this.

EDSAC Lives In MiSTer

May 15, 2020 by Al Williams 5 Comments

There’s a lot of argument over which was the first modern computer to be built. There’s room for debate, but EDSAC — the work of Dr. Maurice Wilkes — certainly was among the first. While we’ve seen simulators before, [hrvach’s] FPGA-based simulator for the MiSTer platform has a lot going for it. Check out the video, below.

So much of what we take for granted today was first developed on the EDSAC. For example, the “Wheeler jump” (named after graduate student David Wheeler) was the origin of the idea of a subroutine.

Continue reading “EDSAC Lives In MiSTer” →

All Your Passwords Are Belong To FPGA

May 15, 2020 by Tom Nardi 26 Comments

When used for cracking passwords, a modern high-end graphics card will absolutely chew through “classic” hashing algorithms like SHA-1 and SHA-2. When a single desktop machine can run through 50+ billion password combinations per second, even decent passwords can be guessed in a worryingly short amount of time. Luckily, advanced password hashing functions such as bcrypt are designed specifically to make these sort of brute-force attacks impractically slow.

Cracking bcrypt on desktop hardware might be out of the question, but the folks over at [Scattered Secrets] had a hunch that an array of FPGAs might be up to the task. While the clock speed on these programmable chips might seem low compared to a modern CPUs and GPUs, they don’t have all that burdensome overhead to contend with. This makes the dedicated circuitry in the FPGA many times more efficient at performing the same task. Using a decade-old FPGA board intended for mining cryptocurrency, the team was able to demonstrate a four-fold performance improvement over the latest generation of GPUs.

After seeing what a single quad FPGA board was capable of, the [Scattered Secrets] team started scaling the concept up. The first version of the hardware crammed a dozen of the ZTEX FPGA boards and a master control computer computer into a standard 4U server case. For the second version, they bumped that up to 18 boards for a total of 72 FPGAs, and made incremental improvements to the power and connectivity systems.

Each 4U FPGA cracker is capable of 2.1 million bcrypt hashes per second, while consuming just 585 watts. To put that into perspective, [Scattered Secrets] says you’d need at least 75 Nvidia RTX-2080Ti graphics cards to match that performance. Such an array would not only take up a whole server rack, but would burn through a staggering 25 kilowatts. Now might be a good time to change your password to something longer, or finally get onboard with 2FA.

We’ve covered attempts to reverse engineer hardware designed for cryptocurrency mining, but those were based around application-specific integrated circuits (ASICs) which by definition are very difficult to repurpose. On the other hand, disused FPGA-based miners offer tantalizing possibilities; once you wrap your mind around how they work, anyway.

[Thanks to Piejoe for the tip.]

The DOOM Chip

May 13, 2020 by Jenny List 18 Comments

It’s a trope among thriller writers; the three-word apocalyptic title. An innocuous item with the power to release unimaginable disaster, which of course our plucky hero must secure to save the day. Happily [Sylvain Lefebvre]’s DOOM chip will not cause the world to end, but it does present a vision of a very 1990s apocalypse. It’s a hardware-only implementation of the first level from id Software’s iconic 1993 first-person-shooter, DOOM. As he puts it: “Algorithm is burned into wires, LUTs and flip-flops on an #FPGA: no CPU, no opcodes, no instruction counter. Running on Altera CycloneV + SDRAM”. It’s the game, or at least the E1M1 map from it sans monsters, solely in silicon. In a very on-theme touch, the rendering engine has 666 lines of code, and the level data is transcribed from the original into hardware tables by a LUA script. It doesn’t appear to be in his GitHub account so far, but we live in hope that one day he’ll put it up.

“Will it run DOOM” is almost a standard for new hardware, but it conceals the immense legacy of this game. It wasn’t the first to adopt a 1st-person 3D gaming environment, but it was the game that defined the genre of realistic and immersive FPS releases that continue to this day. We first played DOOM on a creaking 386, we’ve seen it on all kinds of hardware since, and like very few other games of its age it’s still receiving active development from a large community today. We still mourn slightly that it’s taken the best part of three decades for someone to do a decent Amiga port.

NEO430 Puts A Custom MSP430 Core In Your FPGA

April 27, 2020 by Sven Gregori 18 Comments

We are certainly spoiled by all the microcontroller options nowadays — which is a great problem to have. But between the good old 8-bit controllers and an increasing number of 32-bit varieties, it almost seems as if the 16-bit ones are slowly falling into oblivion. [stnolting] particularly saw an issue with the lack of 16-bit open source soft cores, and as a result created the NEO430, an MSP430 compatible soft processor written in VHDL that adds a custom microcontroller to your next FPGA project.

With high customization as main principle in mind, [stnolting] included a wide selection of peripherals and system features that can be synthesized as needed. Not limiting himself to the ones you would find in an off-the-shelf MSP430 controller, he demonstrates the true strength of open source soft cores. Do you need a random number generator, CRC calculation, and an SPI master with six dedicated chip select lines? No problem! He even includes a Custom Functions Unit that lets you add your own peripheral feature or processor extension.

However, what impresses most is all the work and care [stnolting] put into everything beyond the core implementation. From the C library and the collection of examples for each of the controller’s features, so you can get started out of the box with GCC’s MSP430 port, to writing a full-blown data sheet, and even setting up continuous integration for the entire repository. Each topic on its own is worth looking at, and the NEO430 offers a great introduction or reference for it.

Of course, there are some shortcomings as well, and the biggest downer is probably the lack of analog components, but that’s understandable considering your average FPGA’s building blocks. And well, it’s hard to compete with the MSP430’s ultra low-power design using an FPGA, so if you’re thinking of replicating this watch, you might be better off with a regular MSP430 from a battery lifetime point of view.

Researchers Break FPGA Encryption Using FPGA Encryption

April 23, 2020 by Elliot Williams 18 Comments

FPGAs are awesome — they can be essentially configured into becoming any computing device you want. Simply load your selected bitstream into the device on boot, and it behaves like a different piece of hardware. With great power comes great responsibility.

You might try to hack a given FPGA system by getting between the EEPROM that stores the bitstream and the FPGA during bootup, but FPGA manufacturers are a step ahead of you. Xilinx 7 series FPGAs have an onboard encryption and signing engine, and facilities for storing a secret key. Once the security bit is set, bitstreams coming in have to be encrypted to protect from eavesdropping, and HMAC-signed to assure that they are authentic. You can’t simply read the bitstream in transit or inject your own.

Researchers at Ruhr University Bochum and Max Planck Institute for Cybersecurity and Privacy in Germany have figured out a way to use the FPGA’s own encryption engine against itself to break both of these security guarantees for the entire mainstream 7-series. The attack abuses a MultiBoot function that allows you to specify an address to begin execution after reboot. The researchers send 32 bits of the encoded payload as a MultiBoot address, the FPGA decrypts it and stores it in a register, and then resets because their command wasn’t correctly HMAC signed. But because the WBSTAR register is meant to be readable on boot after reset, the payload is still there in its decrypted form. Repeat for every 32 bits in the bitstream, and you’re done.

Pulling off this attack requires physical access to the FPGA’s debug pins and up to 12 hours, so you only have to worry about particularly dedicated adversaries, but the results are catastrophic — if you can reconfigure an FPGA, you can make it do essentially anything. Security-sensitive folks, we have three words of consolation for you: “restrict physical access”.

What does this mean for Hackaday? If you’re looking at a piece of hardware with a hardened Xilinx 7-series FPGA in it, you’ll be able to use it, although it’s horribly awkward for debugging due to the multi-hour encryption procedure. Anyone know of a good side-channel bootloader for these chips? On the other hand, if you’re just looking to dig secrets out from the bitstream, this is a one-time cost.

This hack is probably only tangentially relevant to the Symbiflow team’s effort to reverse-engineer an open-source toolchain for this series of FPGAs. They are using unencrypted bitstreams for all of their research, naturally, and are almost done anyway. Still, it widens the range of applicability just a little bit, and we’re all for that.

[Banner image is a Numato Lab Neso, and comes totally unlocked naturally.]

An FPGA And A Few Components Can Make A Radio

April 18, 2020 by Jenny List 18 Comments

There was a time when making a radio receiver involved significant work, much winding of coils, and tricky alignment of circuitry. The advent of Software Defined Radio (SDR) has moved a lot of this into the domain of software, but there is of course another field in which a radio can be created via code. [Alberto Garlassi] has created a radio receiver for the AM and HF bands with a Lattice MachXO2 FPGA and minimal external components.

He describes it as an SDR, which given that it’s created from Verilog, is a term that could be applied to it. But instead of using an SDR topology of ADC and digital signal processing, it implements a surprisingly traditional direct conversion receiver.

It has a quadrature AM demodulator which has a passing similarity to an SDR with I and Q phased signals, but that’s where the similarity ends. Frequency selection is via an oscillator controlled from a serial port, and there is even a PWM amplifier on board that can drive a speaker. The result can be seen in the video below, and as you can hear the direct conversion with quadrature demodulator approach makes for a very effective AM receiver.

If this is a little much but you still fancy a radio with minimal components, you should have a look at the Silicon Labs range of receiver chips.

Continue reading “An FPGA And A Few Components Can Make A Radio” →