From Software to Tindie Hack Chat with Brian Lough

Join us Wednesday at noon Pacific time for the From Software to Tindie Hack Chat!

Brian Lough has followed a roundabout but probably not unusual route to the hardware hacking scene. Educated in Electronic and Computer Engineering, Brian is a software developer by trade who became enamored of Arduino development when the ESP8266 hit the market. He realized the microcontrollers such as these offered incredible capabilities on the cheap, and the bug bit him.

Since then, Brian has fully embraced the hardware hacking way, going so far as to live stream complete builds in a sort of collaborative “hack-along” with his viewers. He’s also turned a few of his builds into legitimate products, selling them on his Tindie store and even going so far as to automate testing before shipping to catch errors and improve quality.

Please join us for this Hack Chat, where we’ll discuss:

  • How software hacking leads to hardware hacking;
  • The creative process and how live streaming helps or hinders it;
  • The implications of going from project to product; and
  • What sorts of new projects might we see soon?

Continue reading “From Software to Tindie Hack Chat with Brian Lough”

Years Don’t Dim The Shine of These Curious Gadgets

[Maarten Tromp] recently took the time to document some of the unusual and creative electronic projects he received as gifts over the years. These gadgets were created in the early 2000’s and still work flawlessly today. Two of our favorites are shown here: Hardware Tetris Unit (shown in the image above) and Heap of Electronic Parts.

The “Heap of Electronic Parts” makes sounds when in sunlight.

Heap of Electronic Parts was a kind of hardware puzzle and certainly lives up to its name. It’s a bunch of parts soldered in a mystifying way to the backs of four old EPROMs — the chips with the little window through which UV is used to erase the contents. Assured that the unit really did have a function, [Maarten] eventually figured out that when placed in sunlight, the device ticks, buzzes, and squeals. [Jeroen] had figured out that the EPROMs could act like tiny solar cells when placed in sunlight, and together the four generate just enough power to drive an oscillator connected to a piezo speaker. It still chirps happily away, even today.

Hardware Tetris plays in a terminal window.

Hardware Tetris Unit was a black box intended to be plugged into a serial port. With a terminal opened using the correct serial port settings, a fully-functional Tetris game using ASCII-art graphics could be played. It was even self-powered from the serial port pins.

Inside Hardware Tetris is an AVR microcontroller with some level shifters, and the source code and schematics are available for download. 14 years later, computers no longer have hardware serial ports but [Maarten] says a USB-to-serial converter worked just fine and the device still functions perfectly.

There are a couple more devices documented on [Maarten]’s gifts page, including a Zork-inspired mini text adventure and a hardware board that does some trippy demos on an old Nokia color LCD.  [Maarten]’s friend [Jeroen Domburg] (aka Sprite_tm) had a hand in creating most of the gadgets, and he’s someone whose brilliant work we have had the good fortune to feature many times in the past.

Being an SPI Slave Can Be Trickier than it Appears

Interfacing with the outside world is a fairly common microcontroller task. Outside of certain use cases microcontrollers are arguably primarily useful because of how easily they can interface with other devices. If we just wanted to read and write some data we wouldn’t have gotten that Arduino! But some tasks are more common than others; for instance we’re used to being on the master side of the interface equation, not the slave side. (That’s the job for the TI engineer who designed the temperature sensor, right?) As [Pat] discovered when mocking out a missing SPI GPIO extender, sometimes playing the other role can contain unexpected difficulties.

The simple case for a SPI slave is exactly that: simple. SPI can be wonderful in its apparent simplicity. Unlike I2C there are no weird addressing schemes, read/write bits, stop and start clock conditions. You toggle a clock line and a bit of data comes out, as long as you have the right polarity schemes of course. As a slave device the basic algorithm is of commensurate complexity. Setup an interrupt on the clock pin, wait for your chip select to be asserted, and on each clock edge shift out the next bit of the current word. Check out [Pat]’s eminently readable code to see how simple it can be.

But that last little bit is where the complexity lies. When you’re the master it’s like being the apex predator, the king of the jungle, the head program manager. You dictate the tempo and everyone on the bus dances to the beat of your clock edge. Sure the datasheet for that SRAM says it can’t run faster than 8 MHz but do you really believe it? Not until you try driving that clock a little quicker to see if there’s not a speedier transfer to be had! When you’re the slave you have to have a bit ready every clock edge. Period. Missing even a single bit due to, say, an errant print statement will trash the rest of transaction in ways which are hard to detect and recover from. And your slave code needs to be able to detect those problems in order to reset for the next transaction. Getting stuck waiting to send the 8th bit of a transaction that has ended won’t do.

Check out [Pat]’s very friendly post for a nice refresher on SPI and their discoveries working through the problems of building a SPI slave. There are some helpful tips about how to keep things responsive in a device performing other tasks.

Malicious Component Found on Server Motherboards Supplied to Numerous Companies

This morning Bloomberg is reporting a bombshell for hardware security. Companies like Amazon and Apple have found a malicious chip on their server motherboards. These are not counterfeit chips. They are not part of the motherboard design. These were added by the factory at the time of manufacture. The chip was placed among other signal conditioning components and is incredibly hard to spot as the nature of these motherboards includes hundreds of minuscule components.

Though Amazon and Apple have denied it, according to Bloomberg, a private security contractor in Canada found the hidden chip on server motherboards. Elemental Technologies, acquired by Amazon in 2015 for its video and graphics processing hardware, subcontracted Supermicro (Super Micro Computer, Inc.) to manufacture their server motherboards in China. It is unknown how many of the company’s products have this type of malicious hardware in them, equipment from Elemental Technologies has been supplied to the likes of government contractors as well as major banks and even reportedly used in the CIA’s drone operations.

How the Hack Works

The attacks work with the small chip being implanted onto the motherboard disguised as signal couplers. It is unclear how the chip gains access to the peripherals such as memory (as reported by Bloomberg) but it is possible it has something to do with accessing the bus. The chip controls some data lines on the motherboard that likely provide an attack vector for the baseboard management controller (BMC).

Hackaday spoke with Joe FitzPatrick (a well known hardware security guru who was quoted in the Bloomberg article). He finds this reported attack as a very believable approach to compromising servers. His take on the BMC is that it’s usually an ARM processor running an ancient version of Linux that has control over the major parts of the server. Any known vulnerability in the BMC would be an attack surface for the custom chip.

Data centers house thousands of individual servers that see no physical interaction from humans once installed. The BMC lets administrators control the servers remotely to reboot malfunctioning equipment among other administrative tasks. If this malicious chip can take control of the BMC, then it can provide remote access to whomever installed the chip. Reported investigations have revealed the hack in action with brief check-in communications from these chips though it’s difficult to say if they had already served their purpose or were being saved for a future date.

What Now?

Adding hardware to a design is fundamentally different than software-based hacking: it leaves physical evidence behind. Bloomberg reports on US government efforts to investigate the supply chain attached to these parts. It is worth noting though that the article doesn’t include any named sources while pointing the finger at China’s People’s Liberation Army.

The solution is not a simple one if servers with this malicious chip were already out in the field. Even if you know a motherboard has the additional component, finding it is not easy. Bloomberg also has unconfirmed reports that the next-generation of this attack places the malicious component between layers of the circuit board. If true, an x-ray would be required to spot the additional part.

A true solution for high-security applications will require specialized means of making sure that the resulting product is not altered in any way. This hack takes things to a whole new level and calls into question how we validate hardware that runs our networks.

Update: We changed the penultimate paragraph to include the word if: “…simple one if servers with…” as it has not been independently verified that servers were actually out in the field and companies have denied Bloomberg’s reporting that they were.

[Note: Image is a generic photo and not the actual hardware]

Show that Sega Saturn Save Battery Who’s Boss

Breaking out the Sega Saturn out of the closet for a hit of 90’s nostalgia comes with its own set of compromises: the wired controllers, the composite video, and worst of all that dead CR2032 battery behind the backdoor. Along with the death of that battery went your clock and all those precious hours put into your game save files. While the bulk of us kept feeding the insatiable SRAM, a friendly Canadian engineer named [René] decided to fix the problem for good with FRAM.

The issue with the battery-backed memory in the Saturn stems from the particularly power-hungry factory installed SRAM chip. Normally when the console is plugged-in to a main power source the CR2032 battery is not in use, though after several weeks in storage the battery slowly discharges. [René’s] proposed solution was to use a non-volatile form of RAM chip that would match the pinout of the factory SRAM as close as possible. This would allow for easier install with the minimum number of jumper wires.

Enter the FM1808 FRAM chip complete with a whopping 256 kb of addressable memory. The ferroelectric chip operates at the same voltage as the Saturn’s factory SRAM, and has the added benefit of being able to use a read/write mode similar to that of the Saturn’s original memory chip. Both chips conform to a DIP-28 footprint, and only a single jumper wire on pin 22 was required to hold the FM1808 chip’s output-enable signal active-low as opposed to the active-high enable signal on the Saturn’s factory memory chip. The before and after motherboard photos are below:

After a quick test run of multiple successful read and writes to memory, [René] unplugged his Saturn for a couple days and found that his save files had been maintained. According to the FM1808 datasheet, they should be there for the next 45 years or so. The only downside to the upgrade is that the clock & calendar settings were not maintained upon boot-up and reset to the year 1996. But that’s nothing a bit of button-mashing through couldn’t solve, because after all wasn’t the point of all this to relive a piece of the 90s?

For more Sega Saturn goodness, check out how the Sega Saturn was finally cracked after 20 years.

Badgelife, The Hardware Demoscene Documentary

Last week, tens of thousands of people headed home from Vegas, fresh out of this year’s DEF CON. This was a great year for DEF CON, especially when it comes to hardware. This was the year independent badges took over, thanks to a small community of people dedicated to creating small-run hardware, puzzles, and PCB art for thousands of conference-goers. This is badgelife, a demoscene of hardware, and this is just the beginning. It’s only going to get bigger from here on out.

We were lucky enough to sit down with a few of the creators behind the badges of this year’s DEF CON and the interviews were fantastic. Right here is a lesson on electronic design, manufacturing, and logistics. If you’ve ever wanted to be an engineer that ships a product instead of a lowly maker that ships a product, this is the greatest classroom in the world.

Continue reading “Badgelife, The Hardware Demoscene Documentary”

H2gO Keeps Us from Drying Out

The scientific community cannot always agree on how much water a person needs in a day, and since we are not Fremen, we should give it more thought than we do. For many people, remembering to take a sip now and then is all we need and the H2gO is built to remind [Angeliki Beyko] when to reach for the water bottle. A kitchen timer would probably get the job done, but we can assure you, that is not how we do things around here.

A cast silicone droplet lights up to show how much water you have drunk and pressing the center of the device means you have taken a drink. Under the hood, you find a twelve-node NeoPixel ring, a twelve millimeter momentary switch, and an Arduino Pro Mini holding it all together. A GitHub repo is linked in the article where you can find Arduino code, the droplet model, and links to all the parts. I do not think we will need a device to remind us when to use the bathroom after all this water.

Another intrepid hacker seeks to measure a person’s intake while another measures output.

Continue reading “H2gO Keeps Us from Drying Out”