Orphaned IoT Sleep Tracker Resurrected As An Air Quality Monitor

If you have a Hello Sense sleep tracking device lying around somewhere in your drawer of discards, it can be brought back to life in a new avatar. Just follow [Alexander Gee]’s instructions to resurrect the Hello Sense as an IoT air quality data-logger.

In 2014, startup “Hello” introduced the Sense, an IoT sleep tracking device with a host of embedded sensors, all wrapped up in a slick, injection molded spherical enclosure. The device was quite nice, and by 2015, they had managed to raise $21M in funding. But their business model didn’t seem sustainable, and in 2017, Hello shut shop. Leaving all the Sense devices orphaned, sitting dormant in beautifully designed enclosures with no home to dial back to.

The original Sense included six sensors: illumination, humidity, temperature, sound, dust / particulate matter on the main device, and motion sensing via a separate Bluetooth dongle called the Pill. [Alexander] was interested in air quality measurements, so only needed to get data from the humidity/temperature and dust sensors. Thankfully for [Alexander], a detailed Hello Sense Teardown by [Lindsay Williams] was useful in getting started.

The hardware consisted of four separate PCB’s — power conditioning, LED ring, processor, and sensor board. This ensured that everything could be fit inside the orb shaped enclosure. Getting rid of the LED ring and processor board made space for a new NodeMCU ESP8266 brain which could be hooked up to the sensors. Connecting the NodeMCU to the I2C interface of the humidity/temperature sensor required some bodge wire artistry. Interfacing the PM sensor was a bit more easier since it already had a dedicated cable connected to the original processor board which could be reconnected to the new processor board. The NodeMCU board runs a simple Arduino sketch, available on his Git repo, to gather data and push it online.

For the online data display dashboard, [Alexander] found a nice solution by [Nilhcem] for home monitoring using MQTT, InfluxDB, and Grafana. It could be deployed via a docker compose file and have it up and running quickly. Unfortunately, such projects don’t usually succeed without causing some heartburn, so [Alexander] has got you covered with a bunch of troubleshooting tips and suggestions should you get entangled.

If you have an old Sense device lying around, then this would be a good way to put it some use. But If you’d rather build an air-quality monitor from scratch, then try “Building a Full-Fat Air-Quality Monitor” or “An Air-quality Monitor That Leverages the Cloud“.

Putting Your Time In

I was absolutely struck by a hack this week — [Adam Bäckström]’s amazing robot arm built with modified hobby servos. Basically, he’s taken apart and re-built some affordable off-the-shelf servo motors, and like the 6-Million-Dollar Man, he’s rebuilt them better, stronger, faster. OK, and smoother. We have the technology.

The results are undeniably fantastic, and enable the experienced hacker to get champagne robot motion control on a grape-juice budget by employing some heavy control theory, and redundant sensors to overcome geartrain backlash, which is the devil of cheap servos. But this didn’t come out of nowhere. In his writeup, [Adam] starts off with “You could say this project started when I ordered six endless servos in middle school, more than 15 years ago.” And it shows.

Go check out this video of his first version of the modified servos, from a six-axis arm he built in 2009(!). He’s built in analog position sensors in the motors, which lets him control the speed and makes it work better than any other hobby servo arm you’ve ever seen, but there’s still visible backlash in the gears. A mere twelve years later, he’s got magnetic encoders on the output and a fast inner loop compensates for the backlash. The result is that the current arm moves faster and smoother, while retaining accuracy.

Twelve years. I assume that [Adam] has had some other projects on his plate as well, but that’s a long term project by any account. I’m stoked to see his work, not the least because it should help a lot of others who are ready to step up their desktop servo-arm projects. But the real take-home lesson here is that if you’ve got a tough problem that you’re hacking on, you don’t have to get it done this weekend. You don’t have to get it done next weekend either. Keep hammering on it as long as you need, but keep on hammering. When you get it done, the results will be all the better for the long, slow, brewing time. What’s the longest project that you’ve ever worked on?

PIC32 DMA Is A Weird Machine

Direct memory access (DMA) systems in computers are more powerful than you might think, and [Bruce Land] and [Joseph Primmer] have done some clever hacking to take full advantage of this on the PIC32 microcontrollers. This is a cool proof-of-concept hack — you can do general computing in the DMA subsystem without using the CPU at all if you don’t mind taking your time — but they also include two useful examples: a direct digital synthesis machine and a random number generator. Both of these run using exactly 0% CPU time.

How do they do it? DMA is a mechanism for shuttling data around in memory or between hardware peripherals without involving the CPU. Say you want to take a large block of memory containing music, and spit it out slowly to an I2S audio converter. A DMA subsystem could be configured to take an interrupt from the sound chip, pass it a chunk of data, increment the data pointer, and wait for the next interrupt.

The gimmick, which goes back at least to [Rushanan] and [Checkoway]’s “Run DMA” paper, is that you can modify the memory source and destination addresses of one DMA service from another DMA service, and that some registers automatically perform mathematical operations on whatever data is put into them. Combine these together, and you’ve got transport-triggered programming.

(An awesome side-note: our own [Al Williams] developed a one-instruction transport-triggered CPU way back in the day: the One Instruction Wonder.)

What is this good for? Writing simple helper applications that run independent of the CPU on a PIC32 microcontroller. [Land] and [Primmer]’s direct-digital synthesis example is a great one. But there are a lot of cases where you simply want to take in some new data and pre-process it a little bit before it enters the main program flow. While creating weird machines in the DMA engine might be a slower way to get it done, it keeps the CPU free for doing other stuff. We’re sure you’ll come up with something.

Today’s Twitter Hack Is New Take On “Nigerian Prince” Scam

Don’t send bitcoin to celebrities… or to random people for that matter. This afternoon a number of high profile Twitter accounts were taken over, including Joe Biden, Bill Gates, Elon Musk, Apple, Jeff Bezos, and Kanye West, and the event appears to be ongoing. Each displayed a message saying they wanted to “give back” by doubling the bitcoin that they are sent. The messages all appear to have the same bitcoin wallet address.

This is reminiscent of the “Nigerian prince” scams, a form of advance-fee scam where an email asks for help with a small sum of money in order to obtain a larger sum. Those usually come in as spam emails which most people are wise to at this point. However, blindly following celebrities on Twitter may still deliver a good dose of naïveté when those platforms are misused.

Bitcoin transactions can be viewed publicly and this wallet is showing 11.8 BTC in and 5.8 BTC out in a total of 288 transactions. The net is roughly 6 bitcoin or $55k USD at the time of writing. Twitter’s response appears to have locked down all verified accounts from publishing new tweets. They retain the ability to retweet and delete existing tweets.

Main image screenshot sources:

Does PHP Have A Future, Or Are Twenty Five Years Enough?

In June, 1995, Rasmus Lerdorf made an announcement on a Usenet group. You can still read it.

Today, twenty five years on, PHP is about as ubiquitous as it could possibly have become. I’d be willing to bet that for the majority of readers of this article, their first forays into web programming involved PHP.

Announcing the Personal Home Page Tools (PHP Tools) version 1.0.

These tools are a set of small tight cgi binaries written in C.

But no matter what rich history and wide userbase PHP holds, that’s no justification for its use in a landscape that is rapidly evolving. Whilst PHP will inevitably be around for years to come in existing applications, does it have a future in new sites?

Continue reading “Does PHP Have A Future, Or Are Twenty Five Years Enough?”

Instruction Set Hack For Protected Memory Access

The nRF51 Series SoCs is a family of low power Bluetooth chips from Nordic Semiconductor that is based on ARM Cortex cores. The nRF51822 has the Cortex M0 core and is used in a lot of products. [Loren] has written a blog post in which he claims to be able to circumvent read back protection on the chip, thus giving access to the ROM, RAM and registers as well as allow for interactive debugging sessions.

The hack stems from the fact that the  Serial Wire Debug or SWD interface cannot be completely disabled on these chips even if the Memory Protection Unit prevents access to any memory regions directly. The second key piece is the fact that CPU can fetch stuff from the code memory. Combined with the SWD super powers to make changes to the registers themselves, this can be a powerful tool.

Continue reading “Instruction Set Hack For Protected Memory Access”

Researchers Break FPGA Encryption Using FPGA Encryption

FPGAs are awesome — they can be essentially configured into becoming any computing device you want. Simply load your selected bitstream into the device on boot, and it behaves like a different piece of hardware. With great power comes great responsibility.

You might try to hack a given FPGA system by getting between the EEPROM that stores the bitstream and the FPGA during bootup, but FPGA manufacturers are a step ahead of you. Xilinx 7 series FPGAs have an onboard encryption and signing engine, and facilities for storing a secret key. Once the security bit is set, bitstreams coming in have to be encrypted to protect from eavesdropping, and HMAC-signed to assure that they are authentic. You can’t simply read the bitstream in transit or inject your own.

Researchers at Ruhr University Bochum and Max Planck Institute for Cybersecurity and Privacy in Germany have figured out a way to use the FPGA’s own encryption engine against itself to break both of these security guarantees for the entire mainstream 7-series. The attack abuses a MultiBoot function that allows you to specify an address to begin execution after reboot. The researchers send 32 bits of the encoded payload as a MultiBoot address, the FPGA decrypts it and stores it in a register, and then resets because their command wasn’t correctly HMAC signed. But because the WBSTAR register is meant to be readable on boot after reset, the payload is still there in its decrypted form. Repeat for every 32 bits in the bitstream, and you’re done.

Pulling off this attack requires physical access to the FPGA’s debug pins and up to 12 hours, so you only have to worry about particularly dedicated adversaries, but the results are catastrophic — if you can reconfigure an FPGA, you can make it do essentially anything. Security-sensitive folks, we have three words of consolation for you: “restrict physical access”.

What does this mean for Hackaday? If you’re looking at a piece of hardware with a hardened Xilinx 7-series FPGA in it, you’ll be able to use it, although it’s horribly awkward for debugging due to the multi-hour encryption procedure. Anyone know of a good side-channel bootloader for these chips? On the other hand, if you’re just looking to dig secrets out from the bitstream, this is a one-time cost.

This hack is probably only tangentially relevant to the Symbiflow team’s effort to reverse-engineer an open-source toolchain for this series of FPGAs. They are using unencrypted bitstreams for all of their research, naturally, and are almost done anyway. Still, it widens the range of applicability just a little bit, and we’re all for that.

[Banner image is a Numato Lab Neso, and comes totally unlocked naturally.]