hack

113 Articles

Putting Your Time In

March 27, 2021 by 28 Comments

I was absolutely struck by a hack this week — [Adam Bäckström]’s amazing robot arm built with modified hobby servos. Basically, he’s taken apart and re-built some affordable off-the-shelf servo motors, and like the 6-Million-Dollar Man, he’s rebuilt them better, stronger, faster. OK, and smoother. We have the technology.

The results are undeniably fantastic, and enable the experienced hacker to get champagne robot motion control on a grape-juice budget by employing some heavy control theory, and redundant sensors to overcome geartrain backlash, which is the devil of cheap servos. But this didn’t come out of nowhere. In his writeup, [Adam] starts off with “You could say this project started when I ordered six endless servos in middle school, more than 15 years ago.” And it shows.

Go check out this video of his first version of the modified servos, from a six-axis arm he built in 2009(!). He’s built in analog position sensors in the motors, which lets him control the speed and makes it work better than any other hobby servo arm you’ve ever seen, but there’s still visible backlash in the gears. A mere twelve years later, he’s got magnetic encoders on the output and a fast inner loop compensates for the backlash. The result is that the current arm moves faster and smoother, while retaining accuracy.

Twelve years. I assume that [Adam] has had some other projects on his plate as well, but that’s a long term project by any account. I’m stoked to see his work, not the least because it should help a lot of others who are ready to step up their desktop servo-arm projects. But the real take-home lesson here is that if you’ve got a tough problem that you’re hacking on, you don’t have to get it done this weekend. You don’t have to get it done next weekend either. Keep hammering on it as long as you need, but keep on hammering. When you get it done, the results will be all the better for the long, slow, brewing time. What’s the longest project that you’ve ever worked on?

This article is part of the Hackaday.com newsletter, delivered every seven days for each of the last 200+ weeks. It also includes our favorite articles from the last seven days that you can see on the web version of the newsletter. Want this type of article to hit your inbox every Friday morning? You should sign up!

PIC32 DMA Is A Weird Machine

August 13, 2020 by 11 Comments

Direct memory access (DMA) systems in computers are more powerful than you might think, and [Bruce Land] and [Joseph Primmer] have done some clever hacking to take full advantage of this on the PIC32 microcontrollers. This is a cool proof-of-concept hack — you can do general computing in the DMA subsystem without using the CPU at all if you don’t mind taking your time — but they also include two useful examples: a direct digital synthesis machine and a random number generator. Both of these run using exactly 0% CPU time.

How do they do it? DMA is a mechanism for shuttling data around in memory or between hardware peripherals without involving the CPU. Say you want to take a large block of memory containing music, and spit it out slowly to an I2S audio converter. A DMA subsystem could be configured to take an interrupt from the sound chip, pass it a chunk of data, increment the data pointer, and wait for the next interrupt.

The gimmick, which goes back at least to [Rushanan] and [Checkoway]’s “Run DMA” paper, is that you can modify the memory source and destination addresses of one DMA service from another DMA service, and that some registers automatically perform mathematical operations on whatever data is put into them. Combine these together, and you’ve got transport-triggered programming.

(An awesome side-note: our own [Al Williams] developed a one-instruction transport-triggered CPU way back in the day: the One Instruction Wonder.)

What is this good for? Writing simple helper applications that run independent of the CPU on a PIC32 microcontroller. [Land] and [Primmer]’s direct-digital synthesis example is a great one. But there are a lot of cases where you simply want to take in some new data and pre-process it a little bit before it enters the main program flow. While creating weird machines in the DMA engine might be a slower way to get it done, it keeps the CPU free for doing other stuff. We’re sure you’ll come up with something.

Today’s Twitter Hack Is New Take On “Nigerian Prince” Scam

July 15, 2020 by 52 Comments

Don’t send bitcoin to celebrities… or to random people for that matter. This afternoon a number of high profile Twitter accounts were taken over, including Joe Biden, Bill Gates, Elon Musk, Apple, Jeff Bezos, and Kanye West, and the event appears to be ongoing. Each displayed a message saying they wanted to “give back” by doubling the bitcoin that they are sent. The messages all appear to have the same bitcoin wallet address.

This is reminiscent of the “Nigerian prince” scams, a form of advance-fee scam where an email asks for help with a small sum of money in order to obtain a larger sum. Those usually come in as spam emails which most people are wise to at this point. However, blindly following celebrities on Twitter may still deliver a good dose of naïveté when those platforms are misused.

Bitcoin transactions can be viewed publicly and this wallet is showing 11.8 BTC in and 5.8 BTC out in a total of 288 transactions. The net is roughly 6 bitcoin or $55k USD at the time of writing. Twitter’s response appears to have locked down all verified accounts from publishing new tweets. They retain the ability to retweet and delete existing tweets.

Main image screenshot sources:

Does PHP Have A Future, Or Are Twenty Five Years Enough?

June 29, 2020 by 51 Comments

In June, 1995, Rasmus Lerdorf made an announcement on a Usenet group. You can still read it.

Today, twenty five years on, PHP is about as ubiquitous as it could possibly have become. I’d be willing to bet that for the majority of readers of this article, their first forays into web programming involved PHP.

Announcing the Personal Home Page Tools (PHP Tools) version 1.0.

These tools are a set of small tight cgi binaries written in C.

But no matter what rich history and wide userbase PHP holds, that’s no justification for its use in a landscape that is rapidly evolving. Whilst PHP will inevitably be around for years to come in existing applications, does it have a future in new sites?

Continue reading “Does PHP Have A Future, Or Are Twenty Five Years Enough?”

Instruction Set Hack For Protected Memory Access

April 27, 2020 by 7 Comments

The nRF51 Series SoCs is a family of low power Bluetooth chips from Nordic Semiconductor that is based on ARM Cortex cores. The nRF51822 has the Cortex M0 core and is used in a lot of products. [Loren] has written a blog post in which he claims to be able to circumvent read back protection on the chip, thus giving access to the ROM, RAM and registers as well as allow for interactive debugging sessions.

The hack stems from the fact that the  Serial Wire Debug or SWD interface cannot be completely disabled on these chips even if the Memory Protection Unit prevents access to any memory regions directly. The second key piece is the fact that CPU can fetch stuff from the code memory. Combined with the SWD super powers to make changes to the registers themselves, this can be a powerful tool.

Continue reading “Instruction Set Hack For Protected Memory Access”

Researchers Break FPGA Encryption Using FPGA Encryption

April 23, 2020 by 18 Comments

FPGAs are awesome — they can be essentially configured into becoming any computing device you want. Simply load your selected bitstream into the device on boot, and it behaves like a different piece of hardware. With great power comes great responsibility.

You might try to hack a given FPGA system by getting between the EEPROM that stores the bitstream and the FPGA during bootup, but FPGA manufacturers are a step ahead of you. Xilinx 7 series FPGAs have an onboard encryption and signing engine, and facilities for storing a secret key. Once the security bit is set, bitstreams coming in have to be encrypted to protect from eavesdropping, and HMAC-signed to assure that they are authentic. You can’t simply read the bitstream in transit or inject your own.

Researchers at Ruhr University Bochum and Max Planck Institute for Cybersecurity and Privacy in Germany have figured out a way to use the FPGA’s own encryption engine against itself to break both of these security guarantees for the entire mainstream 7-series. The attack abuses a MultiBoot function that allows you to specify an address to begin execution after reboot. The researchers send 32 bits of the encoded payload as a MultiBoot address, the FPGA decrypts it and stores it in a register, and then resets because their command wasn’t correctly HMAC signed. But because the WBSTAR register is meant to be readable on boot after reset, the payload is still there in its decrypted form. Repeat for every 32 bits in the bitstream, and you’re done.

Pulling off this attack requires physical access to the FPGA’s debug pins and up to 12 hours, so you only have to worry about particularly dedicated adversaries, but the results are catastrophic — if you can reconfigure an FPGA, you can make it do essentially anything. Security-sensitive folks, we have three words of consolation for you: “restrict physical access”.

What does this mean for Hackaday? If you’re looking at a piece of hardware with a hardened Xilinx 7-series FPGA in it, you’ll be able to use it, although it’s horribly awkward for debugging due to the multi-hour encryption procedure. Anyone know of a good side-channel bootloader for these chips? On the other hand, if you’re just looking to dig secrets out from the bitstream, this is a one-time cost.

This hack is probably only tangentially relevant to the Symbiflow team’s effort to reverse-engineer an open-source toolchain for this series of FPGAs. They are using unencrypted bitstreams for all of their research, naturally, and are almost done anyway. Still, it widens the range of applicability just a little bit, and we’re all for that.

[Banner image is a Numato Lab Neso, and comes totally unlocked naturally.]

The Ultimate Game Boy Talk

March 14, 2020 by 3 Comments

It is absolutely no exaggeration to say that [Michael Steil] gave the Ultimate Game Boy talk at the 33rd Chaos Communication Congress back in 2016. Watch it, and if you think that there’s been a better talk since then, post up in the comments and we’ll give you the hour back. (As soon as we get this time machine working…)

We were looking into the audio subsystem of the Game Boy a while back, and scouring the Internet for resources, when we ran across this talk. Not only does [Michael] do a perfect job of demonstrating the entire audio system, allowing you to write custom chiptunes at the register level if that’s your thing, but he also gets deep into the graphics engine. You’ll never look at a low-bit Pole Position clone the same again. The talk even includes some new (in 2016, anyway) hacks on the pixel pipeline in the last 15 minutes, and a quick review of the hacking tools and even the Game Boy camera.

Why do you care about the Game Boy? It’s probably the last/best 8-bit game machine that was made in mass production. You can get your hands on one, or a clone, for dirt cheap. And if you build a microcontroller-based cartridge, you can hack the whole thing non-destructively live, and in Python! Or emulate either the whole shebang. Either way, when you’re done, you’ve got a portable demo of your hard work thanks to the Nintendo hardware. It makes the perfect retro project.

Continue reading “The Ultimate Game Boy Talk”