[Ken Shirriff] has seen the insides of more integrated circuits than most people have seen bellybuttons. (This is an exaggeration.) But the point is, where we see a crazy jumble of circuitry, [Ken] sees a riddle to be solved, and he’s got a method that guides him through the madness.
In his talk at the 2016 Hackaday SuperConference, [Ken] stepped the audience through a number of famous chips, showing how he approaches them and how you could do the same if you wanted to, or needed to. Reading an IC from a photo is not for the faint of heart, but with a little perseverance, it can give you the keys to the kingdom. We’re stoked that [Ken] shared his methods with us, and gave us some deeper insight into a handful of classic silicon, from the Z80 processor to the 555 timer and LM7805 voltage regulator, and beyond.
People who have incredible competence in a wide range of fields are rare, and it can appear deceptively simple when they present their work. [Chris Gerlinksy]’s talk on breaking the encryption used on satellite and cable pay TV set-top boxes was like that. (Download the slides, as PDF.) The end result of his work is that he gets to watch anything on pay TV, but getting to watch free wrestling matches is hardly the point of an epic hack like this.
The talk spans hardware reverse engineering of the set-top box itself, chip decapping, visual ROM recovery, software reverse analysis, chip glitching, creation of custom glitching hardware, several levels of crypto, and a lot of very educated guessing. Along the way, you’ll learn everything there is to know about how broadcast streams are encrypted and delivered. Watch this talk now.
Some of the coolest bits:
Reading out the masked ROM from looking at it with a microscope never fails to amaze us.
A custom chip-glitcher rig was built, and is shown in a few iterations, finally ending up in a “fancy” project box. But it’s the kind of thing you could build at home: a microcontroller controlling a switch on a breadboard.
The encoder chip stores its memory in RAM: [Chris] uses a beautiful home-brew method of desoldering the power pins, connecting them up to a battery, and desoldering the chip from the board for further analysis.
The chip runs entirely in RAM, forcing [Chris] to re-glitch the chip and insert his payload code every time it resets. And it resets a lot, because the designers added reset vectors between the bytes of the desired keys. Very sneaky.
All of this was done by sacrificing only one truckload of set-top boxes.
Looking at Mask ROM
Homebrew Glitcher
A Pickup full of Set-Top Boxes
Our jaw dropped repeatedly during this presentation. Go watch it now.
[CNLohr] needs no introduction around these parts. He’s pulled off a few really epic hacks. Recently, he’s set his sights on writing a simple, easy to extend library to work with the HTC Vive VR controller equipment, and in particular the Watchman controller.
There’s been a lot of previous work on the device, so [Charles] wasn’t starting from scratch, and he live-streamed his work, allowing others to play along. In the process, two engineers who actually worked on the hardware in question, [Alan Yates] and [Ben Jackson], stopped by and gave some oblique hints and “warmer-cooler” guidance. A much-condensed version is up on YouTube (and embedded below). In the links, you’ll find code and the live streams in their original glory, if you want to see what went down blow by blow. Code and more docs are in this Gist.
[Jason Holt] wrote in to tell about of the release of his PRUDAQ project. It’s a dual-channel 10-bit ADC cape that ties into the BeagleBone’s Programmable Realtime Units (PRUs) to shuttle through up to as much as 20 megasamples per second for each channel. That’s a lot of bandwidth!
The trick is reading the ADC out with the PRUs, which are essentially a little bit of programmable logic that’s built on to the board. With a bit of PRU code, the data can be shuttled out of the ADC and into the BeagleBone’s memory about as fast as you could wish. Indeed, it’s too fast for the demo code that [Jason] wrote, which can’t even access the RAM that fast. Instead, you’ll want to use custom kernel drivers from the BeagleLogic project (that we’ve covered here before).
But even then, if you don’t want to process the data onboard, you’ve got to get it out somehow. 100 mbit Ethernet gets you 11.2 megabytes per second, and a cherry-picked flash drive can save something like 14-18 megabytes per second. But the two 10-bit ADCs, running full-bore at 20 megasamples per second each, produces something like 50-80 megabytes per second. Point is, PRUDAQ is producing a ton of data.
So what is this cape useful for? It’s limited to the two-volt input range of the ADCs — you’ll need to precondition signals for use as a general-purpose oscilloscope. You can also multiplex the ADCs, allowing for eight inputs, but of course not at exactly the same time. But two channels at high bandwidth would make a great backend for a custom SDR setup, for instance. Getting this much ADC bandwidth into a single-board computer is an awesome trick that used to cost thousands of dollars.
We asked [Jason] why he built it, and he said he can’t tell us. It’s a Google Research project, so let the wild conjecture-fest begin!
We have talked about a whole slew of logic and interconnect technologies including TTL, CMOS and assorted low voltage versions. All of these technologies have in common the fact that they are single-ended, i.e. the signal is measured as a “high” or “low” level above ground.
This is great for simple uses. But when you start talking about speed, distance, or both, the single ended solutions don’t look so good. To step in and carry the torch we have Differential Signalling. This is the “DS” in LVDS, just one of the common standards throughout industry. Let’s take a look at how differential signaling is different from single ended, and what that means for engineers and for users.
Single Ended
Single Ended: TTL, CMOS, LVTTL, Etc.
Single Ended and Sources of Noise
Collectively, standards like TTL, CMOS, and LVTTL are known as Single Ended technologies and they have in common some undesirable attributes, namely that ground noise directly affects the noise margin (the budget for how much noise is tolerable) as well as any induced noise measured to ground directly adds to the overall noise as well.
By making the voltage swing to greater voltages we can make the noise look smaller in proportion but at the expense of speed as it takes more time to make larger voltage swings, especially with the kind of capacitance and inductance we sometimes see.
Differential
Enter Differential Signaling where we use two conductor instead of one. A differential transmitter produces an inverted version of the signal and a non-inverted version and we measure the desired signal strictly between the two instead of to ground. Now ground noise doesn’t count (mostly) and noise induced onto both signal lines gets canceled as we only amplify the difference between the two, we do not amplify anything that is in common such as the noise.
At the Lifelong Learning Robotics Laboratory at the Erasmo Da Rotterdam in Italy, robots are (not surprisingly) used to teach all of the fundamentals of robotics. [Alessandro Rossetti] and the students at the lab have been at it for years now, and have finally finished their fifth generation of a robot called Nessie. The big idea is to help teach fundamentals of programming and electronics by building something that actually uses these principles.
The robot is largely 3D printed and uses an FPGA to interact with the physical world through a set of motors and sensors. The robot also uses a Raspberry Pi to hold the robot’s framework. The robot manages the sensors in hardware with readers attached to the CPU AXI bus. The CPU reads their values from memory space, though, so the robot is reported to be quite quick.
The lab is hoping to take their robot to a robotics competition in Bari, Italy. We hope that they perform well there, since we are big fans of any robot that’s designed to teach anyone about robotics and programming. After all, there are robots that help teach STEM in Africa, robots that teach teen girls about robots, and robots that teach everyone.
If you read my first post about a simple CPLD do-it-yourself project you may remember that I seriously wiffed when I made the footprint 1” wide, which was a bit too wide for common solderless breadboards. Since then I started over, having fixed the width problem, and ended up with a module that looks decidedly… cuter.
To back up a little bit, a Complex Programmable Logic Device (CPLD) is a cool piece of hardware to have in your repertoire and it can be used to learn logic or a high level design language or replace obsolete functions or chips. But a CPLD needs a little bit of support infrastructure to become usable, and that’s what I’ll be walking you through here. So if you’re interested in learning CPLDs, or just designing boards for them, read on!
