PIC32 DMA Is A Weird Machine

Direct memory access (DMA) systems in computers are more powerful than you might think, and [Bruce Land] and [Joseph Primmer] have done some clever hacking to take full advantage of this on the PIC32 microcontrollers. This is a cool proof-of-concept hack — you can do general computing in the DMA subsystem without using the CPU at all if you don’t mind taking your time — but they also include two useful examples: a direct digital synthesis machine and a random number generator. Both of these run using exactly 0% CPU time.

How do they do it? DMA is a mechanism for shuttling data around in memory or between hardware peripherals without involving the CPU. Say you want to take a large block of memory containing music, and spit it out slowly to an I2S audio converter. A DMA subsystem could be configured to take an interrupt from the sound chip, pass it a chunk of data, increment the data pointer, and wait for the next interrupt.

The gimmick, which goes back at least to [Rushanan] and [Checkoway]’s “Run DMA” paper, is that you can modify the memory source and destination addresses of one DMA service from another DMA service, and that some registers automatically perform mathematical operations on whatever data is put into them. Combine these together, and you’ve got transport-triggered programming.

(An awesome side-note: our own [Al Williams] developed a one-instruction transport-triggered CPU way back in the day: the One Instruction Wonder.)

What is this good for? Writing simple helper applications that run independent of the CPU on a PIC32 microcontroller. [Land] and [Primmer]’s direct-digital synthesis example is a great one. But there are a lot of cases where you simply want to take in some new data and pre-process it a little bit before it enters the main program flow. While creating weird machines in the DMA engine might be a slower way to get it done, it keeps the CPU free for doing other stuff. We’re sure you’ll come up with something.

Today’s Twitter Hack Is New Take On “Nigerian Prince” Scam

Don’t send bitcoin to celebrities… or to random people for that matter. This afternoon a number of high profile Twitter accounts were taken over, including Joe Biden, Bill Gates, Elon Musk, Apple, Jeff Bezos, and Kanye West, and the event appears to be ongoing. Each displayed a message saying they wanted to “give back” by doubling the bitcoin that they are sent. The messages all appear to have the same bitcoin wallet address.

This is reminiscent of the “Nigerian prince” scams, a form of advance-fee scam where an email asks for help with a small sum of money in order to obtain a larger sum. Those usually come in as spam emails which most people are wise to at this point. However, blindly following celebrities on Twitter may still deliver a good dose of naïveté when those platforms are misused.

Bitcoin transactions can be viewed publicly and this wallet is showing 11.8 BTC in and 5.8 BTC out in a total of 288 transactions. The net is roughly 6 bitcoin or $55k USD at the time of writing. Twitter’s response appears to have locked down all verified accounts from publishing new tweets. They retain the ability to retweet and delete existing tweets.


Main image screenshot sources:

Does PHP Have A Future, Or Are Twenty Five Years Enough?

In June, 1995, Rasmus Lerdorf made an announcement on a Usenet group. You can still read it.

Today, twenty five years on, PHP is about as ubiquitous as it could possibly have become. I’d be willing to bet that for the majority of readers of this article, their first forays into web programming involved PHP.

Announcing the Personal Home Page Tools (PHP Tools) version 1.0.

These tools are a set of small tight cgi binaries written in C.

But no matter what rich history and wide userbase PHP holds, that’s no justification for its use in a landscape that is rapidly evolving. Whilst PHP will inevitably be around for years to come in existing applications, does it have a future in new sites?

Continue reading “Does PHP Have A Future, Or Are Twenty Five Years Enough?”

Instruction Set Hack For Protected Memory Access

The nRF51 Series SoCs is a family of low power Bluetooth chips from Nordic Semiconductor that is based on ARM Cortex cores. The nRF51822 has the Cortex M0 core and is used in a lot of products. [Loren] has written a blog post in which he claims to be able to circumvent read back protection on the chip, thus giving access to the ROM, RAM and registers as well as allow for interactive debugging sessions.

The hack stems from the fact that the  Serial Wire Debug or SWD interface cannot be completely disabled on these chips even if the Memory Protection Unit prevents access to any memory regions directly. The second key piece is the fact that CPU can fetch stuff from the code memory. Combined with the SWD super powers to make changes to the registers themselves, this can be a powerful tool.

Continue reading “Instruction Set Hack For Protected Memory Access”

Researchers Break FPGA Encryption Using FPGA Encryption

FPGAs are awesome — they can be essentially configured into becoming any computing device you want. Simply load your selected bitstream into the device on boot, and it behaves like a different piece of hardware. With great power comes great responsibility.

You might try to hack a given FPGA system by getting between the EEPROM that stores the bitstream and the FPGA during bootup, but FPGA manufacturers are a step ahead of you. Xilinx 7 series FPGAs have an onboard encryption and signing engine, and facilities for storing a secret key. Once the security bit is set, bitstreams coming in have to be encrypted to protect from eavesdropping, and HMAC-signed to assure that they are authentic. You can’t simply read the bitstream in transit or inject your own.

Researchers at Ruhr University Bochum and Max Planck Institute for Cybersecurity and Privacy in Germany have figured out a way to use the FPGA’s own encryption engine against itself to break both of these security guarantees for the entire mainstream 7-series. The attack abuses a MultiBoot function that allows you to specify an address to begin execution after reboot. The researchers send 32 bits of the encoded payload as a MultiBoot address, the FPGA decrypts it and stores it in a register, and then resets because their command wasn’t correctly HMAC signed. But because the WBSTAR register is meant to be readable on boot after reset, the payload is still there in its decrypted form. Repeat for every 32 bits in the bitstream, and you’re done.

Pulling off this attack requires physical access to the FPGA’s debug pins and up to 12 hours, so you only have to worry about particularly dedicated adversaries, but the results are catastrophic — if you can reconfigure an FPGA, you can make it do essentially anything. Security-sensitive folks, we have three words of consolation for you: “restrict physical access”.

What does this mean for Hackaday? If you’re looking at a piece of hardware with a hardened Xilinx 7-series FPGA in it, you’ll be able to use it, although it’s horribly awkward for debugging due to the multi-hour encryption procedure. Anyone know of a good side-channel bootloader for these chips? On the other hand, if you’re just looking to dig secrets out from the bitstream, this is a one-time cost.

This hack is probably only tangentially relevant to the Symbiflow team’s effort to reverse-engineer an open-source toolchain for this series of FPGAs. They are using unencrypted bitstreams for all of their research, naturally, and are almost done anyway. Still, it widens the range of applicability just a little bit, and we’re all for that.

[Banner image is a Numato Lab Neso, and comes totally unlocked naturally.]

The Ultimate Game Boy Talk

It is absolutely no exaggeration to say that [Michael Steil] gave the Ultimate Game Boy talk at the 33rd Chaos Communication Congress back in 2016. Watch it, and if you think that there’s been a better talk since then, post up in the comments and we’ll give you the hour back. (As soon as we get this time machine working…)

We were looking into the audio subsystem of the Game Boy a while back, and scouring the Internet for resources, when we ran across this talk. Not only does [Michael] do a perfect job of demonstrating the entire audio system, allowing you to write custom chiptunes at the register level if that’s your thing, but he also gets deep into the graphics engine. You’ll never look at a low-bit Pole Position clone the same again. The talk even includes some new (in 2016, anyway) hacks on the pixel pipeline in the last 15 minutes, and a quick review of the hacking tools and even the Game Boy camera.

Why do you care about the Game Boy? It’s probably the last/best 8-bit game machine that was made in mass production. You can get your hands on one, or a clone, for dirt cheap. And if you build a microcontroller-based cartridge, you can hack the whole thing non-destructively live, and in Python! Or emulate either the whole shebang. Either way, when you’re done, you’ve got a portable demo of your hard work thanks to the Nintendo hardware. It makes the perfect retro project.

Continue reading “The Ultimate Game Boy Talk”

The Open Source Smart Home

[Tijmen Schep] sends in his project, Candle Smart Home, which is an exhibit of 12 smart home devices which are designed around the concepts of ownership, open source, and privacy.

The central controller runs on a Raspberry Pi which is running Mozilla’s new smart home operating system. Each individual device is Arduino based, and when you click through on the site you get a well designed graphic explaining how to build each device.

It’s also fun to see how many people worked together on this project and added their own flair. Whether it’s a unique covering for the devices or a toggle switch that can toggle itself there’s quite a few personal touches.

As anyone who’s had the sneaking suspicion that Jeff Bezos was listening in to their conversations, we get the need for this. We also love how approachable it makes hacking your own hardware. What are your thoughts?